Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

FedRAMP Revision 5 Explained

Published 07/14/2023

Home
Industry Insights
FedRAMP Revision 5 Explained

Originally published by Schellman.

Given its standardized approach to assessing, authorizing, and continuously monitoring cloud services used by federal agencies, the Federal Risk and Authorization Management Program (FedRAMP) has been a critical component of the U.S. government's cloud security strategy since its inception in 2011.

As anyone who has worked through the program before understands, FedRAMP leverages the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 guidelines for security and privacy controls for federal information systems. These controls are analyzed for applicability and parameters are tailored to cloud systems and have since been revised several times.

On May 30, 2023, FedRAMP released the latest Rev 5 of its security control baselines—Rev 5 both incorporates the latest updates from NIST SP 800-53 Revision 5 and aligns with FedRAMP's goal of ensuring that security controls are up to date with the latest security standards and practices to address the ever-changing threat landscape.

We’re going to break down the notable changes within this revision, as well as the transition timeline for organizations currently in any phase of achieving FedRAMP compliance, so that you can pivot all the more easily.

What are the New FedRAMP Revision 5 Baselines?

In putting together Rev 5, FedRAMP utilized a Threat-Based Methodology to assess the effectiveness of each control in preventing, detecting, and responding to the techniques outlined in the MITRE ATT&CK Framework.

By leveraging threat scoring, FedRAMP was able to keep control additions to the baselines to a minimum—a high-level breakdown of the changes is below:

Baseline

New # of Controls

Rev 5 Changes

Tailored / Low Impact SaaS (LI-SaaS):

156

Added 31 additional controls, including new attest and assess controls.

Low:

156

Added 31 additional controls.

Moderate:

323

2 fewer controls than the Rev 4 moderate baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53.

High:

410

11 fewer controls than the Rev 4 high baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53.

Key Changes in FedRAMP Rev 5

Aside from changes to the control totals, Rev 5 introduces other significant changes for FedRAMP, including the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4.

FedRAMP Rev 5 Updated Privacy Requirements

As part of increased emphasis on privacy, Rev 5 introduced updated requirements across multiple control families. Some highlights include:

Requirement #

Change

AT-3

Role-based training now requires privacy training in addition to security training.

CM-3

Configuration Change Control and CM-4 - Impact Analysis now requires privacy impact analysis for configuration changes.

CP-9

System Backup now requires the backup of privacy-related system documentation.

PL-2

System Security and Privacy Plan now requires results of privacy risk assessment for systems processing Personally Identifiable Information (PII) to be provided as well as multiple other privacy-related updates.

In addition, multiple SA controls now require ongoing privacy assessments as part of your SDLC as well as other additional privacy requirements that weren’t part of Rev 4. Similarly, multiple controls within the CA family now feature privacy elements, including mandated documentation and reporting of privacy requirements.

FedRAMP Rev 5 New Control Families and Enhancement

Notable changes to the control families and controls include:

Control Family

Addition/Enhancement

SR

Supply Chain Risk Management

*BRAND NEW*

Addresses more comprehensively the risks associated with the acquisition, development, and maintenance of information systems and components associated with third-party and vendor services, products, and supply chains.

(The Rev 4 High baseline previously included the SA-12 Supply Chain Protection control, but that is now incorporated into the SR family.)

AT-2 (3)

Social Engineering and Mining

Now requires that literacy training on social engineering and social mining be provided at least annually.

IR-6 (3)

Coordination with Supply Chain

Requires that incident information be reported to organizations involved in the supply chain or supply chain governance.

While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP baselines in Rev 5.

RA-5 (11)

Public Disclosure Program

Requires a reporting channel for the public to notify the Cloud Service Provider (CSP) of vulnerabilities.

SI-4 (18)

Analyze Traffic and Covert Exfiltration

Requires outbound communications to be monitored at interior points to detect covert exfiltration of information.

While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP Moderate baseline in Rev 5.
FedRAMP Rev 5 Updated Requirements and Guidance

Control(s)

Update

CA-7
Continuous Monitoring

Requires CSOs authorized via the Agency path with more than one agency ATO to conduct joint monthly ConMon meetings with all agencies.

SC-8, SC-8 (1), SC-13, and SC-28

Requires encryption of ALL data-at-rest and data-in-transit using 140-2 FIPS-validated or NSA-approved cryptography.

CM-6 Configuration Settings

Requires DoD Security Technical Implementation Guides (STIGs), although CIS Level 2 benchmarks are accepted if a STIG does not exist, marking a change from Rev 4 which only required CIS Level 1 benchmarks.

NOTE: Per the Center for Internet Security, the Level 1 profile “is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.” However, the Level 2 Profile “is considered to be ‘defense in depth’ and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.”

SC-7(b)
Boundary Protection

Requires subnet isolation for public and private system components.

For more information see FedRAMPs subnets whitepaper.

How to Manage Your Transition to FedRAMP Rev 5

If you were around for the FedRAMP Rev 3 to Rev 4 transition, it seems the same key concepts will be followed during the transition to Rev 5. The transition plan went into effect on May 30, 2023, with different guidance that will assist CSPs in various stages of FedRAMP in identifying requirements and actions for moving from Rev 4 to Rev 5:

For Cloud Service Providers in the “Planning Phase”

If You:
  • Are in the process of applying for FedRAMP or are in the readiness review process;
  • Have not yet partnered with an agency (i.e., the agency Authorization Official (AO) has not submitted a formal In Process Request) as of May 30, 2023;
  • Have not contracted with a 3PAO for a Rev 4 assessment as of May 30, 2023; or
  • Have a Joint Authorization Board (JAB) prioritization and have not begun an assessment after the release of the Rev 5 baseline and templates.

What to Do:
  • Implement and test the Rev 5 baseline
  • Use the updated FedRAMP templates when submitting a RAR/SAR package
For Cloud Service Providers in the “Initiation Phase”

If You:
  • Are currently prioritized for the JAB and are currently under contract with a 3PAO;
  • Have been evaluated by a 3PAO and are working towards submitting a P-ATO package;
  • Have initiated the JAB P-ATO review process as of May 30, 2023;
  • Have partnered with a federal agency and are currently under contract with a 3PAO;
  • Are undergoing a 3PAO assessment; or
  • Have been evaluated and have submitted the package for Agency ATO review as of May 30, 2023.

What to Do:
  • You can obtain an ATO/P-ATO using the Rev 4 baseline and templates, but you must identify the differences between your current Rev 4 implementation and the Rev 5 requirements by September 1, 2023, or before the issuance of an ATO/P-ATO—whichever is latest—and that includes:
    • Developing and documenting plans in the SSP and POA&M to address the Rev 4 vs Rev 5 delta; and
    • Posting those documents to the CSP’s package repository.
  • Your transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment (if applicable). Customers can use your schedules and CRMs to understand the impact of planned changes on their own implementation.
For Cloud Service Providers in the “Continuous Monitoring Phase”

If You:
  • Are currently in the continuous monitoring phase with a current FedRAMP authorization.

What to Do:
  • Determine the differences between your existing Rev 4 implementation and Rev 5 requirements by September 1, 2023, including:
    • Developing and documenting plans in the SSP and POA&M to address the Rev 4 vs Rev 5 delta; and
    • Posting those documents to the CSP’s package repository.
  • Revise your plans to reflect any changes based on the information used, such as shared controls by October 2, 2023.

Your transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment.

If you underwent your most recent assessment between January 2, 2023, and July 3, 2023, you have a maximum of one year from the assessment date to finalize all implementation and testing tasks.

If you have an annual assessment planned between July 3, 2023, and December 15, 2023, you’re required to finish all implementation and testing activities before your subsequent scheduled annual assessment.

  • Timeline Note: Because your transition/annual assessment will evaluate that year’s Rev 4 annual assessment control selection AND the conditional delta from Rev 4 to Rev 5, this Rev 5 transition/annual assessment will be wider in scope and may take longer. However, after this Rev 5 transition/annual assessment, you’ll resume the typical annual assessment under a Rev 5 control selection.

Next Steps for Your FedRAMP Rev 5 Compliance

Overall, the transition from FedRAMP Rev 4 to Rev 5 represents a significant update to the program's security controls and assessment process, with changes that ensure your cloud services will meet the latest security standards and address emerging threats and vulnerabilities.

As you now understand, Rev 5 emphasizes the importance of customization and tailoring of security controls to address specific risks and threats to your information systems, an approach that aligns with FedRAMP's strategy of requiring CSPs to demonstrate a baseline of security controls while allowing further customization to meet the unique needs of individual federal agencies.

In the next few weeks, FedRAMP will release updated supporting documentation for the Rev 5 transition, including templates for the SSP, SAP, SAR, RAR, and POA&M for High, Moderate, Low, and Li-SaaS baselines.

ComplianceFedRAMP

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring

Published: 11/21/2024

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Published: 11/20/2024

Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems

Published: 11/19/2024

9 Tips to Simplify and Improve Unstructured Data Security

Published: 11/18/2024