【正文】 能從IaaS繼承物理和環(huán)境的保護措施，因此PaaS或SaaS就不用為其繼承的控制措施提交交付件。Other continuous monitoring activities do not require a deliverable, and will be reviewed by 3PAOs during security assessments. CSPs must be able to demonstrate to 3PAOs that ongoing continuous monitoring activities are in place, and have been occurring as represented in the System Security Plan. For example, if a CSP has indicated in their System Security Plan that they monitor unsuccessful login attempts on an ongoing basis, the 3PAO may ask to see log files, along with the CSP analysis of the log files, for random dates over the course of prior authorization period (., biannual, annual).其他持續(xù)監(jiān)管活動不要求交付件，且在安全評估期間由3PAOs進行檢查。CSP必須能夠向3PAO證明連續(xù)不斷的持續(xù)監(jiān)管活動已經(jīng)到位，且作為《系統(tǒng)安全計劃》的代表一直運行。例如，如果CSP已經(jīng)在其《系統(tǒng)安全計劃》中表明其連續(xù)監(jiān)控登錄失敗的行為，那么3PAO可能要求查看CSP之前的授權(quán)期限中的任意日期的日志文件、日志文件分析。In Table A1, refer to the “Description” column for information about what is required and when it is required to be submitted. A checkmark in either the CSP Authored Deliverable column or 3PAO Authored Deliverable column of Table A1 indicates that a deliverable is required. 表A1中“描述”列指的是：要求何時提交以及提交什么內(nèi)容。表A1中，CSP授權(quán)的交付件列表或3PAO授權(quán)的交付件列表表明需要提交的交付件。If concerns arise about the security posture of the CSP system, AOs may ask for a security artifact at any point in time. For example, if a CSP indicates in their System Security Plan that they actively monitor information system connections, the AO could ask the CSP to send them log file snippets for a particular connection at any point in time. If it bees known that an entity that connects to a CSP has been promised by an unauthorized user, the AO coordinate with the CSP to check in on the interconnection monitoring of the CSP. CSPs should anticipate that aside from scheduled continuous monitoring deliverables, and aside from testing performed by 3PAOs, that the AOs may request certain system artifacts on an ad hoc basis if there are concerns. 如果對CSP系統(tǒng)的安全態(tài)勢產(chǎn)生擔(dān)憂，AOs可以在任何時間點請求一個安全組建。例如，如果一個CSP在其《系統(tǒng)安全計劃》中表明他們積極地監(jiān)控信息系統(tǒng)連接，AO可能要求CSP發(fā)送其在任何時間點的一個特殊連接的日志文件片段。如果發(fā)現(xiàn)連接CSP的實體已經(jīng)被一個非授權(quán)使用者盜用，那么AO配合CSP檢查CSP的交互連接監(jiān)控。如果存在擔(dān)憂的話，CSP應(yīng)該預(yù)料到除預(yù)定的持續(xù)監(jiān)管交付件、3PAOs執(zhí)行的測試以外，AOs可能要求特定系統(tǒng)專責(zé)性質(zhì)的組件。 CSPs are required to submit a schedule of activities within 15 days from the date of their authorization to their AOs and annually thereafter. This schedule assists CSPs in managing continuous monitoring activities.CSP需要在其獲得授權(quán)之日起的15日內(nèi)，提交活動計劃表給其AOs，此后每年提交一次。這個計劃表幫助CSP管理持續(xù)監(jiān)管活動。Note: For controls that do not have a check in either the CSP authored deliverable or 3PAO authored deliverable in Table A1, CSPs will be required to provide evidence of pliance minimally during annual assessment and upon request.注意：表A1中既不在CSP授權(quán)交付件或3PAO授權(quán)交付件上登記的控制措施，根據(jù)要求，CSP至少在年度評估期間提供遵從證據(jù)。Row Control NameControl IDDescriptionCSP Authored Deliverable3PAO Authored DeliverableNotesContinuous and Ongoing1Information System MonitoringSI4The organization:a. Monitors the information system to detect:1. Attacks and indicators of potential attacks in accordance with [Assignment: organizationdefined monitoring objectives]。 and2. Unauthorized local, network, and remote connections。b. Identifies unauthorized use of the information system through [Assignment: organizationdefined techniques and methods]。c. Deploys monitoring devices: (i) strategically within the information system to collect organizationdetermined essential information。 and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization。(continued)Information System MonitoringSI4 (continued)(continued) d. Protects information obtained from intrusionmonitoring tools from unauthorized access, modification, and deletion。e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information。f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations。 andg. Provides [Assignment: organizationdefined information system monitoring information] to [Assignment: organizationdefined personnel or roles] [Selection (one or more): as needed。 [Assignment: organizationdefined frequency]].2Auditable EventsAU2a, AU2dCertain events must be continuously monitored. AU2a auditable events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changesAU2d Frequency: continually3Information System Component InventoryCM8(3)aCSPs must be able to detect new assets continuously, using automated mechanisms with a maximum fiveminute delay in detection.This activity should be automated. 4Incident ReportingIR6CSPs must report incidents in accordance with the FedRAMP Incident Communications Procedure. 252。IR6a. [USCERT incident reporting timelines as specified in NIST Special Publication 80061 (as amended)]5Temperature amp。 Humidity ControlsPE14bCSPs must monitor temperature and humidity controls continuously. Refer to ASHRAE Thermal Guidelines for Data Processing Environments.Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.6Vulnerability ScanningRA5(2)CSPs must update the list of vulnerabilities scanned continuously, before each scan. Before scans are run, signatures must be updated to the most current version.7Wireless Intrusion DetectionSI4(14)The organiza