Hello does anyone have any guidance or docs on proper controls around APIs for a CSP perspective. We currently use Azure API management to publish APIs our application exposes to customers which is authorized.

For Federal gov on FedRAMP moderate ATO SaaS app. We currently disabled our APIs but have been asked what it would take to enable.

We utilize API keys currently that does not seem sufficient for FedRAMP but I don't know good alternatives and I can't find any NIST rules around it.