Skip to content

FedRAMP Low Baseline Rev 4

Best for: Cloud service providers (CSPs) seeking or maintaining a FedRAMP Low authorization to operate (ATO) for systems handling low-impact federal data under FIPS 199. This applies to any CSP, regardless of size, that sells cloud services to U.S. federal agencies where loss of confidentiality, integrity, or availability would have limited adverse effects. If your agency sponsor issued your ATO under NIST 800-53 Rev 4, this baseline applied to you. New authorizations require Rev 5.

Mandatory?Mandatory for CSPs selling to U.S. federal agencies
Who validates?3PAO (Third Party Assessment Organization) · No self-assessment
RenewalContinuous monitoring; annual assessment
ScopeCloud service offering for federal use (low impact)

🏛 U.S. General Services Administration (GSA), FedRAMP Program Management Office (PMO) · FedRAMP Low Rev 4 Official source →

Get Started

module "..." {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Audit Logging and Monitoring: Runs 11 controls validating CloudTrail configuration across regions, S3 data event logging, CloudWatch integration, log file validation, alarm actions, and log retention periods. Covers the technical requirements for AU-2, AU-3, AU-6, AU-9, and AU-12.
    • Encryption and Certificate Management: ACM certificate expiration windows and KMS CMK encryption on CloudTrail logs are both evaluated. Customer-managed keys satisfy SC-28; AWS-managed defaults do not, and the check distinguishes between them.
    • Boundary Protection and Network Segmentation: Three SC-7 boundary checks: Auto Scaling launch configurations must not assign public IPs, DMS replication instances must not be publicly accessible, and API Gateway stages must have WAF web ACLs attached.
    • Backup and Recovery: Validates that AWS Backup plan retention meets the 35-day minimum and that Auto Scaling groups behind load balancers use health checks to support automatic instance recovery.
    • Secure Development and Build Configuration: Two CodeBuild checks: whether projects store sensitive AWS values in plaintext environment variables, and whether source repositories authenticate via OAuth rather than personal access tokens.

  • What you handle

    • Audit Logging and Monitoring: Defining audit event types in your SSP, performing regular log reviews (the procedural requirement under AU-6), documenting your audit reduction and report generation process, and establishing and testing alerting thresholds for security-relevant events.
    • Encryption and Certificate Management: Documenting key management procedures, implementing rotation schedules, managing key access policies, and confirming FIPS 140-2 validated cryptographic modules are used where SC-13 requires them.
    • Boundary Protection and Network Segmentation: Documenting the full authorization boundary in your SSP, maintaining current network architecture diagrams, configuring WAF rule sets appropriate to your threat model, and managing security group rules outside the scope of these specific checks.
    • Backup and Recovery: Writing and testing your Contingency Plan (CP), conducting annual contingency plan tests per CP-4, defining recovery time and recovery point objectives, and documenting backup restoration test results.
    • Secure Development and Build Configuration: Establishing a full secure development lifecycle under SA-11, routing secrets through a dedicated secrets manager, and maintaining documented configuration baselines for all build and deployment pipelines.

Controls by Category

Audit and Accountability (AU) (6 controls)

3PAOs verify that audit logging covers the full authorization boundary with no gaps. They expect CloudTrail enabled across all regions (AU-2, AU-3, AU-12), log integrity validation confirming logs have not been tampered with (AU-9), and centralized aggregation through CloudWatch (AU-6). Trails scoped to a single region and log groups with retention periods too short to support incident investigation timelines are the most common findings in this category.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail log file validation should be enabled API Gateway stage logging should be enabled CloudWatch alarm should have an action configured compliance.tf module Log group retention period should be at least 365 days compliance.tf module

Contingency Planning (CP) (1 control)

CP-9 backup retention is what assessors ask for first: the 35-day minimum aligns with FedRAMP continuous monitoring requirements for data recovery. Health check configuration on Auto Scaling groups covers the CP-10 automatic recovery requirement by ensuring unhealthy instances are replaced without manual intervention. Come prepared with evidence of tested recovery procedures, not just configured backup policies.

Backup plan min frequency and min retention check

System and Communications Protection (SC) (2 controls)

Assessors check encryption in transit and at rest (SC-8, SC-28) and boundary protection controls (SC-7), treating expired or near-expiry ACM certificates as direct findings rather than observations. Public IP assignment on Auto Scaling launch configurations and DMS replication instances violates SC-7, as does an API Gateway stage without a WAF web ACL attached.

CloudTrail trail logs should be encrypted with KMS CMK DMS replication instances should not be publicly accessible compliance.tf module
Additional Controls (65)

AWS IAM (3)

Ensure IAM password policy requires a minimum length of 14 or greater Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

AWS Lambda (4)

Lambda functions concurrent execution limit configured compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module

Amazon CloudWatch Logs (1)

Log group encryption at rest should be enabled compliance.tf module

Amazon DynamoDB (1)

DynamoDB table point-in-time recovery should be enabled compliance.tf module

Amazon EC2 (5)

EC2 instance detailed monitoring should be enabled compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater compliance.tf module

Amazon OpenSearch Service (2)

OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module

Amazon RDS (13)

RDS clusters should have deletion protection enabled compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module

Amazon Redshift (7)

AWS Redshift audit logging should be enabled compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon S3 (12)

S3 bucket cross-region replication should be enabled compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabled S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabled SageMaker notebook instances should not have direct internet access SageMaker notebook instances should be encrypted using CMK SageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabled compliance.tf module

Elastic Load Balancing (6)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module

Other (3)

ES domains should be in a VPC Elasticsearch domain should send logs to CloudWatch Elasticsearch domain node-to-node encryption should be enabled

  • NIST 800-53 Rev 4 — 🟢 High overlap (85%)

    FedRAMP Low Rev 4 is a direct subset of NIST 800-53 Rev 4, selecting 125 controls from the full catalog and adding FedRAMP-specific parameter values. If you have already mapped to the full 800-53 Rev 4 catalog, the FedRAMP Low controls are covered, though FedRAMP imposes stricter parameter settings on several of them.

  • FedRAMP Moderate Rev 4 — 🟢 High overlap (70%)

    FedRAMP Moderate Rev 4 is a superset of the Low baseline, adding approximately 200 controls. Every Low control appears in Moderate, so Low compliance is a useful foundation if you later need Moderate authorization.

  • NIST 800-53 Rev 5 — 🟢 High overlap (65%)

    NIST 800-53 Rev 5 reorganized and expanded the control catalog relative to Rev 4. Many Rev 4 controls map directly to Rev 5 equivalents, but Rev 5 introduced new control families (PT, SR) and consolidated others. The FedRAMP Rev 5 baselines draw from this updated catalog.

Frequently Asked Questions

Is FedRAMP Low Rev 4 still valid for new authorizations?

No. New authorization packages must use the Rev 5 baselines. CSPs with existing Rev 4 ATOs were required to transition during their annual assessment cycle. If you are starting a new FedRAMP effort, use the Rev 5 Low baseline.

What is the difference between FedRAMP Low and FedRAMP Moderate?

FedRAMP Low requires approximately 125 controls and applies to systems where loss of confidentiality, integrity, or availability would have limited adverse effect. FedRAMP Moderate requires roughly 325 controls and applies where that loss would have serious adverse effect. Most federal systems handling PII or sensitive operational data require Moderate. Low is typically used for publicly available information or collaboration tools that do not carry sensitive data.

How long does a FedRAMP Low authorization take?

Expect 6 to 12 months for a new authorization. The timeline depends on your organization's security maturity, documentation readiness, and whether you pursue a Joint Authorization Board (JAB) provisional ATO or an agency-specific ATO. Agency ATOs can move faster when the sponsoring agency is engaged. The 3PAO assessment itself typically runs 4 to 8 weeks, but SSP development and finding remediation consume most of the overall timeline.

Can I reuse my FedRAMP Low Rev 4 controls for the Rev 5 transition?

Partially. Many Rev 4 controls map directly to Rev 5 equivalents, so existing implementation evidence carries over. Rev 5 did introduce new controls, changed parameter requirements, and restructured some control families, so you will need a gap analysis against the Rev 5 Low baseline. The FedRAMP PMO published transition guidance with a mapping spreadsheet to help identify what needs to change.

What does compliance.tf cover versus what the 3PAO assesses?

compliance.tf automates checks for technical control implementations: whether CloudTrail is enabled, encryption is configured, public access is restricted, and similar infrastructure-level settings. A 3PAO assessment covers the full 125-control baseline, including procedural controls (personnel security, physical access, incident response plans), policy documentation, and organizational processes that infrastructure scanning cannot reach. compliance.tf covers the technical subset and generates continuous evidence between annual assessments.