Step-by-step guide on how to perform Hands-On Security Control Testing for AC-11 using the FedRAMP Test Case Template with Determine-if Levels. AC-11 focuses on session lock controls.

FedRAMP standardizes the security assessment and authorization process for cloud products and services. AC-11 addresses session lock controls. Ensure you have the necessary access rights and authorization before proceeding.

• Access to the FedRAMP Test Case Template
• System documentation, security policies, and procedures
• Understanding of Determine-if Levels

1. Understand the Control Requirements:
   • Review FedRAMP AC-11 requirements and Determine-if levels.

2. Obtain the FedRAMP Test Case Template:
   • Download the AC-11 Test Case Template from the official FedRAMP source.

3. Gather Necessary Documentation:
   • Collect system architecture diagrams, security policies, and related records.
   • https://csrc.nist.gov/publications

4. Identify the Determine-if Levels:

   • Determine the applicable Determine-if levels for your system.

5. Review Evidence provided by client:

   • Review relevant screenshots of the configuration on the server.
     
     

6. Execute Test Cases:

   • Observe and examine the Access Control Policy noted that the AC-11 verbiage defined the time period of inactivity of 15 minutes (900 seconds).

7. Record Observations and Findings:

   • Document observations and findings during the tests.

8. Evaluate the Results:

   • Compare findings to Determine-if level expectations.

9. Report the Test Results:

   • Complete the Test Case Template reporting sections.

10. Review and Validation:

    • Have findings reviewed and validated by a qualified security assessor.

11. Mitigation and Remediation:

    • Develop and implement plans to address any deficiencies.

12. Document the Final Report:

    • Generate a comprehensive final report detailing results and actions taken.

13. Submit the Report:

    • Submit the report to the relevant governing body for assessment and authorization.

14. Continuous Monitoring:

    • Regularly assess and review session lock controls to maintain compliance.

15. Follow Up:

    • Continuously update the system to ensure ongoing compliance with AC-11 and other security requirements.

Ensure your report contains details of tests, outcomes, and any actions to address deficiencies.

Maintain continuous monitoring of session lock controls to uphold FedRAMP compliance.

FedRAMP compliance is an ongoing process. Stay informed about updates in FedRAMP guidelines and adjust your security controls accordingly.