ARCS/Crosswalks/ARCS / FedRAMP Crosswalk
ARCS / FedRAMP
Overview
FedRAMP is the U.S. federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services, with baselines derived from NIST SP 800-53 Rev. 5.
ARCS is a separate lifecycle-governance standard for the records AI systems create. This crosswalk identifies where FedRAMP requirements intersect with ARCS, beyond the base SP 800-53 mapping.
Interpretive status
This instrument is an informative crosswalk focused on FedRAMP-specific operational requirements that extend beyond the underlying NIST SP 800-53 control catalog: authorization process, continuous monitoring, inheritance model, evidence discipline, and third-party assessment posture.
Framework scope
FedRAMP authorization extends beyond SP 800-53 baselines to include SSP documentation, authorization package assembly, 3PAO assessment, inheritance and shared responsibility modeling, continuous monitoring, and POA&M evidence discipline.
ARCS relevance
FedRAMP evaluates whether security controls are implemented and operating effectively. ARCS governs the lifecycle and custody of interaction records created within those environments: SSP content, ConMon assertions, inheritance boundary documentation, POA&M evidence, and 3PAO review surfaces.
Selected mappings
Table A maps selected FedRAMP authorization and operational themes to ARCS control families. The mapping focuses on the FedRAMP-specific delta beyond the underlying NIST SP 800-53 controls.
| FedRAMP theme | Reference | ARCS families | Crosswalk note |
|---|---|---|---|
| Authorization package and system security plan | FedRAMP SSP template | ARCS-OPB, ARCS-CUS, ARCS-TAX, ARCS-VER | FedRAMP requires a system security plan documenting control implementation. ARCS strengthens the record-governance sections of an SSP by providing documented lifecycle treatment, custody chain mapping, classification architecture, and verification posture for interaction records. |
| Continuous monitoring | FedRAMP ConMon | ARCS-VER, ARCS-LIF, ARCS-CUS | FedRAMP requires ongoing monitoring of control effectiveness. ARCS supports continuous monitoring by providing verifiable lifecycle state, custody visibility, and attestation discipline for interaction records, making monitoring assertions about record governance testable. |
| Audit and accountability (AU family) | 800-53 AU baseline | ARCS-LIF, ARCS-VER, ARCS-TAX | FedRAMP baselines include AU controls from NIST SP 800-53. ARCS extends the record-governance posture of audit artifacts by treating them as classified record types with defined lifecycle, retention, and verification requirements. |
| Access control (AC family) | 800-53 AC baseline | ARCS-CUS, ARCS-OPB, ARCS-PUB | FedRAMP baselines include AC controls. ARCS complements access controls by documenting operator boundaries, custody surfaces, and publish-boundary events for interaction records across the authorization boundary. |
| Incident response (IR family) | 800-53 IR baseline | ARCS-PV, ARCS-CUS, ARCS-VER | FedRAMP baselines include IR controls. ARCS governs preservation of incident-related interaction records, custody documentation for evidentiary purposes, and verification of record state during response. |
| System integrity (SI family) | 800-53 SI baseline | ARCS-VER, ARCS-AGT, ARCS-LIF | FedRAMP baselines include SI controls. ARCS contributes where system integrity obligations touch interaction-record verification, agent runtime governance, and lifecycle state integrity. |
| Inheritance and shared responsibility | FedRAMP inheritance model | ARCS-CUS, ARCS-OPB, ARCS-VER | FedRAMP distinguishes inherited, shared, and system-specific controls. ARCS supports the record-governance layer of inherited and shared controls by documenting where interaction record custody resides, which vendor surfaces hold records, and whether governance claims are testable across the inheritance boundary. |
| Plan of action and milestones (POA&M) | FedRAMP POA&M | ARCS-VER, ARCS-LIF | FedRAMP requires POA&M documentation for control deficiencies. ARCS supports POA&M evidence discipline by providing verifiable lifecycle and custody state for interaction records referenced in remediation plans. |
| Third-party assessment | 3PAO examination | ARCS-VER, ARCS-CUS, ARCS-OPB | FedRAMP requires third-party assessment of control implementation. ARCS strengthens assessor evidence by providing documented, verifiable custody chains, operator boundaries, and lifecycle treatment for interaction records in scope. |
Outside scope
ARCS governs several record-lifecycle domains that fall outside FedRAMP's authorization and monitoring framework:
Non-creation claim verification
ARCS-NCR (NCR-01 to NCR-06)
FedRAMP does not separately address claims that interaction records are neither created nor retained. ARCS requires architectural verification of non-creation claims.
Agent tool-use and delegation
ARCS-AGT (AGT-01 to AGT-13), ARCS-DEL (DEL-01 to DEL-12)
FedRAMP baselines do not separately govern the record-lifecycle consequences of AI agent tool use or delegation chains. ARCS provides agent-specific and delegation-specific record governance.
Deletion verifiability
ARCS-LIF (LIF-12, LIF-13), ARCS-VER (VER-01 to VER-03)
FedRAMP baselines include disposal controls but do not require the level of deletion verifiability ARCS specifies, including vendor deletion verifiability assessment and precluded deletion analysis.
Publish-boundary governance
ARCS-PUB (PUB-01 to PUB-06)
FedRAMP addresses information flow controls but does not govern the full lifecycle of records that cross publication, export, or disclosure boundaries. ARCS governs post-export lifecycle consequences.