FedRAMP Moderate Baseline Rev 4
Best for: Cloud service providers (CSPs) seeking or maintaining a FedRAMP Authorization to Operate (ATO) at the Moderate impact level to sell services to U.S. federal agencies. Any CSP whose cloud offering handles federal data classified at FIPS 199 Moderate must meet this baseline, covering the majority of federal cloud procurements. Company size is irrelevant; the trigger is the federal contract.
🏛 U.S. General Services Administration (GSA), FedRAMP Program Management Office (PMO) · FedRAMP Moderate Rev 4 Official source →
Get Started
module "..." {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Logging and Monitoring: Checks 11 controls across CloudTrail configuration: multi-region enablement, S3 data event logging (read and write), log file validation, KMS encryption of trail logs, CloudWatch Logs integration, log retention periods, and alarm action configuration.
- Encryption in Transit and at Rest: Four controls cover encryption posture: ACM certificate expiration status, API Gateway SSL certificate usage and cache encryption, and CloudTrail log encryption with a KMS CMK.
- Network Boundary Protection: Validates WAF association on API Gateway stages and confirms Auto Scaling launch configurations have public IP assignment disabled.
- Backup and Recovery: Checks that AWS Backup plans meet the 35-day minimum retention requirement and that Auto Scaling groups behind load balancers use health checks for automated instance recovery.
- Secure Configuration Management: Scans CodeBuild project configurations for plaintext sensitive values in environment variables.
What you handle
- Audit Logging and Monitoring: Defining AU-2 auditable events in the SSP, configuring alert thresholds and incident response procedures for CloudWatch alarms, performing AU-6 log review on a defined schedule, and maintaining evidence of log review activities for the 3PAO.
- Encryption in Transit and at Rest: Documenting FIPS 140-2 validation status for cryptographic modules in use, defining key management procedures per SC-12, configuring KMS key rotation, and maintaining a cryptographic inventory in the SSP.
- Network Boundary Protection: The full authorization boundary definition lives in your SSP, and everything beyond these two checks falls on you: WAF rule tuning, security group and NACL configurations across all VPC resources, and data flow diagrams.
- Backup and Recovery: Performing and documenting annual backup restoration tests per CP-9, maintaining a contingency plan (CP-2), conducting contingency plan testing (CP-4), and defining recovery time and recovery point objectives.
- Secure Configuration Management: Establishing and enforcing baseline configurations per CM-2, managing configuration change control processes (CM-3), performing configuration audits (CM-6), and documenting approved software inventories (CM-7).
Controls by Category
Audit and Accountability (AU) (6 controls)
3PAOs verify that audit logging covers all authorization boundary components per AU-2 and AU-3. They check for multi-region CloudTrail coverage, log integrity validation (AU-10), integration with a centralized log management solution (AU-6), and retention periods meeting the FedRAMP requirement of at least one year online and three years total (AU-11). A common finding is missing S3 data event logging, which leaves object-level access unaudited.
compliance.tf module Log group retention period should be at least 365 days compliance.tf module API Gateway stage logging should be enabledContingency Planning (CP) (1 control)
The most common CP finding is an untested backup: CP-9(1) requires documented restoration testing within the past year, and many organizations cannot produce the evidence. Beyond that, assessors check backup frequency and retention settings against the SSP, and review whether Auto Scaling health checks are configured to support CP-10 recovery objectives.
System and Communications Protection, Cryptographic Controls (SC-8, SC-13, SC-28) (3 controls)
Assessors validate that data in transit uses FIPS 140-2 validated cryptographic modules (SC-13) and that data at rest is encrypted with customer-managed keys where applicable (SC-28). Expired or soon-to-expire ACM certificates are flagged as SC-8 findings. Auditors commonly request evidence of KMS key policies and key rotation configurations alongside the encryption settings themselves.
Additional Controls (86)
AWS Database Migration Service (1)
AWS IAM (9)
AWS KMS (1)
AWS Lambda (4)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (1)
Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (5)
compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Amazon ECR (1)
Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon ElastiCache (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (14)
compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (7)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (15)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (2)
compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module Elastic Load Balancing (8)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Should I pursue FedRAMP Moderate Rev 4 or Rev 5?
Rev 5. The FedRAMP PMO requires all new authorizations to use Rev 5 baselines. Existing Rev 4 ATOs must transition according to the timeline published by the PMO (originally one year from Rev 5 release, with extensions granted case by case). If you hold a Rev 4 ATO and have not started your transition, begin mapping Rev 4 controls to Rev 5 equivalents now. The Rev 5 baseline adds controls in areas like supply chain risk management and privacy.
How long does FedRAMP authorization take and what does it cost?
Typical timelines run 12 to 18 months from initial engagement to ATO, depending on the CSP's existing security posture and authorization path. The JAB (Joint Authorization Board) path is generally longer but produces a provisional ATO reusable across agencies; the agency path moves at the sponsoring agency's pace. Costs vary widely: $1M to $3M is common for initial authorization when accounting for 3PAO assessment fees, remediation, SSP development, and staff time. Annual continuous monitoring adds $500K or more.
What is the difference between FedRAMP Moderate and NIST 800-53 Moderate?
FedRAMP Moderate uses NIST 800-53 as its control catalog but layers on additional requirements: mandatory use of a FedRAMP-accredited 3PAO, specific parameter values (e.g., AU-11 requires one year of online log retention), controls beyond NIST's moderate baseline, continuous monitoring reporting to the FedRAMP PMO, and use of FedRAMP templates for the SSP, SAR, and POA&M. Meeting NIST 800-53 Moderate alone does not satisfy FedRAMP.
How many of the 325 controls can be automated with infrastructure-as-code checks?
Roughly 30 to 40 percent of FedRAMP Moderate controls have technical configurations that can be validated through automated scanning, including this compliance.tf module's 50 mapped controls. The remaining controls are procedural, organizational, or require human judgment: personnel security (PS family), physical protection (PE family), security planning (PL family), and risk assessment processes (RA family) cannot be verified through API-based configuration checks.
Can I inherit controls from my IaaS provider's FedRAMP authorization?
Yes, and you should. AWS, Azure, and GCP each hold FedRAMP High authorizations. Controls fully implemented by the IaaS provider (e.g., PE-family physical security controls) are inherited and documented in your SSP's Customer Responsibility Matrix (CRM). Partially inherited controls require you to implement your portion, and your 3PAO will validate that inherited control claims match the IaaS provider's CRM. A SaaS built on FedRAMP-authorized IaaS can typically inherit 30 to 50 percent of Moderate controls.