In the context of compliance frameworks like NIST SP 800-53 (which provides the underlying security controls for FedRAMP), these acronyms represent specific “Control Families.” Each family groups together related security requirements.

RA: Risk Assessment

The RA family focuses on identifying and managing risks to the organization, its assets, and individuals.

  • What it covers: Conducting regular vulnerability scans, performing formal risk assessments of your infrastructure, and developing strategies to mitigate identified threats.
  • SOC 2 Connection: This maps to the “Risk Assessment” component of the SOC 2 Common Criteria, where you must identify and analyze changes that could significantly impact your system of internal control.

CM: Configuration Management

The CM family is about maintaining the integrity of your systems through control of the processes for initializing, changing, and monitoring your configurations.

  • What it covers: Establishing baseline configurations (standard “images” or builds), managing changes to the system (Change Management), and maintaining an inventory of system components.
  • SOC 2 Connection: This maps to the Change Management criteria, ensuring that systems are developed, configured, and modified in a controlled manner.

SA: System and Services Acquisition

The SA family focuses on the resources and procedures used to acquire or build new systems, as well as managing third-party providers.

  • What it covers: Developing a system development life cycle (SDLC), managing supply chain risk (including SBOM and SLSA), and ensuring that external service providers (vendors) meet your security requirements.
  • The “SA-9” Mention: SA-9External System Services — is the vendor management control. It requires that any third-party service you use (SaaS, sub-processor, etc.) complies with your security needs.

AC: Access Control

Managing who has access to what, including identity management, authentication, and the principle of least privilege.

AU: Audit and Accountability

Creating, protecting, and retaining system audit logs to track user activity and support investigations.

SI: System and Information Integrity

Protecting against malicious code, monitoring the system for flaws, and ensuring information is handled correctly throughout its lifecycle.

Use this page as a quick reference while reading the series. These families appear throughout the FedRAMP SSP narrative, and knowing what each acronym stands for makes the control discussions significantly easier to follow.