Does anyone know why FedRAMP use information system in their additional guidance and requirements, when NIST removed information and only use system to allow 800-53 Rev 5 to be applicable across all systems? Also why did they list AU-3 Content of Audit Records with lower case letters but not for AU-3 (1) Additional Audit Information?
[link] [comments]