ISC2 Governance, Risk and Compliance (CGRC) Practice Question

In an IaaS deployment that follows the FedRAMP shared-responsibility model, the cloud service provider is accountable for the underlying data-center facilities, including building access, physical entry controls, power, HVAC, and environmental safeguards. These requirements are captured in the Physical and Environmental Protection (PE) family of NIST SP 800-53 controls. Because tenants cannot influence these safeguards, the entire PE family is normally provided as common (inherited) controls in the provider's FedRAMP authorization package and simply referenced in the agency's SSP.

In contrast, the Identification and Authentication (IA), Access Control (AC), and Audit and Accountability (AU) families include many requirements-such as account management, role-based access, and log review-that the customer must still implement and document for its own workloads, so they are treated as system-specific or hybrid rather than fully inherited.