FedRAMP IAM controls audit checklist — Moderate + High baselines

AC-2 is the most-cited control in IAM-related findings. Every JML flow + every privileged account class generates evidence.

• AC-2 — Account types defined

  Evidence

  System Security Plan section listing all account types (privileged, non-privileged, service, shared, guest) with owner + lifecycle policy.

  Who owns

  CISO / Compliance lead

• AC-2(1) — Automated account management

  Evidence

  Screenshot or system export showing automated account creation triggered from HRIS; ticket evidence for the prior 30 days of creates.

  Who owns

  IAM engineering

• AC-2(3) — Disable inactive accounts

  Evidence

  Policy document defining inactivity threshold (typically 35 days for FedRAMP) + audit log proving disabled accounts.

  Who owns

  IAM engineering

• AC-2(7) — Privileged account monitoring

  Evidence

  Session-recording evidence for privileged sessions in the audit window. PAM platform export.

  Who owns

  Privileged access lead

• AC-2(12) — Anomalous behavior detection

  Evidence

  SIEM rule documentation + alert history showing detection of anomalous privileged-account use.

  Who owns

  SOC / Detection lead

• IA-2(1) — MFA for privileged accounts

  Evidence

  Conditional Access / sign-on policy export showing MFA requirement on privileged role assignment.

  Who owns

  IAM engineering

• IA-2(12) — Phishing-resistant MFA for privileged (High baseline)

  Evidence

  Policy + evidence (sign-in logs filtered by privileged users) showing FIDO2 / smart card use, not SMS / push-only.

  Who owns

  IAM engineering

• IA-5(1) — Password complexity policy

  Evidence

  Effective password policy export. For modern FedRAMP, evidence showing alignment with NIST 800-63B (no forced rotation, screen against breach corpora, minimum entropy).

  Who owns

  IAM engineering

• AC-3 — Access enforcement

  Evidence

  Authorization policy documentation + sample policy evaluations from production.

  Who owns

  Application security

• AC-5 — Separation of duties

  Evidence

  Documented SoD matrix + IGA rule export proving incompatible role combinations are prevented at request time.

  Who owns

  IAM governance

• AC-6(1) — Least privilege

  Evidence

  Sample privileged role definitions; periodic role-mining reports showing reduction trend.

  Who owns

  IAM governance

• AC-6(5) — Privileged accounts least privilege

  Evidence

  PAM platform report showing JIT elevation usage; standing-privilege account count + remediation plan.

  Who owns

  Privileged access lead

• AU-2 — Audit events

  Evidence

  Documented list of identity-related audit events being captured (logon success/failure, privilege use, account modification, MFA enroll, etc.).

  Who owns

  SOC / IAM engineering

• AU-6 — Audit review + analysis

  Evidence

  SIEM dashboards + sample alert investigations showing identity events are reviewed, not just collected.

  Who owns

  SOC

• AU-11 — Audit record retention

  Evidence

  Documented retention period (1 year online + 3 years offline for Moderate/High); export sample from cold storage proving recoverability.

  Who owns

  SOC / Compliance

• CA-7 — Continuous monitoring (monthly evidence)

  Evidence

  Monthly evidence package showing IAM control state — account counts, MFA coverage, privileged-account changes, certification status.

  Who owns

  Compliance lead

  Collection tip

  Evidence-as-code is increasingly expected. Manual monthly screenshot collection is sustainable for the first year but breaks down at scale.

• PL-2 — System Security Plan IAM sections

  Evidence

  Current SSP with IAM control narratives reflecting actual implementation, not target state.

  Who owns

  Compliance lead