FedRAMP Revision 5 Explained
Published 07/14/2023
Originally published by Schellman.
Given its standardized approach to assessing, authorizing, and continuously monitoring cloud services used by federal agencies, the Federal Risk and Authorization Management Program (FedRAMP) has been a critical component of the U.S. government's cloud security strategy since its inception in 2011.
As anyone who has worked through the program before understands, FedRAMP leverages the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 guidelines for security and privacy controls for federal information systems. These controls are analyzed for applicability and parameters are tailored to cloud systems and have since been revised several times.
On May 30, 2023, FedRAMP released the latest Rev 5 of its security control baselines—Rev 5 both incorporates the latest updates from NIST SP 800-53 Revision 5 and aligns with FedRAMP's goal of ensuring that security controls are up to date with the latest security standards and practices to address the ever-changing threat landscape.
We’re going to break down the notable changes within this revision, as well as the transition timeline for organizations currently in any phase of achieving FedRAMP compliance, so that you can pivot all the more easily.
What are the New FedRAMP Revision 5 Baselines?
In putting together Rev 5, FedRAMP utilized a Threat-Based Methodology to assess the effectiveness of each control in preventing, detecting, and responding to the techniques outlined in the MITRE ATT&CK Framework.
By leveraging threat scoring, FedRAMP was able to keep control additions to the baselines to a minimum—a high-level breakdown of the changes is below:
Baseline | New # of Controls | Rev 5 Changes |
Tailored / Low Impact SaaS (LI-SaaS): | 156 | Added 31 additional controls, including new attest and assess controls. |
Low: | 156 | Added 31 additional controls. |
Moderate: | 323 | 2 fewer controls than the Rev 4 moderate baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53. |
High: | 410 | 11 fewer controls than the Rev 4 high baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53. |
Key Changes in FedRAMP Rev 5
Aside from changes to the control totals, Rev 5 introduces other significant changes for FedRAMP, including the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4.
FedRAMP Rev 5 Updated Privacy Requirements
As part of increased emphasis on privacy, Rev 5 introduced updated requirements across multiple control families. Some highlights include:
Requirement # | Change |
AT-3 | Role-based training now requires privacy training in addition to security training. |
CM-3 | Configuration Change Control and CM-4 - Impact Analysis now requires privacy impact analysis for configuration changes. |
CP-9 | System Backup now requires the backup of privacy-related system documentation. |
PL-2 | System Security and Privacy Plan now requires results of privacy risk assessment for systems processing Personally Identifiable Information (PII) to be provided as well as multiple other privacy-related updates. |
In addition, multiple SA controls now require ongoing privacy assessments as part of your SDLC as well as other additional privacy requirements that weren’t part of Rev 4. Similarly, multiple controls within the CA family now feature privacy elements, including mandated documentation and reporting of privacy requirements.
FedRAMP Rev 5 New Control Families and Enhancement
Notable changes to the control families and controls include:
Control Family | Addition/Enhancement |
SR Supply Chain Risk Management *BRAND NEW* | Addresses more comprehensively the risks associated with the acquisition, development, and maintenance of information systems and components associated with third-party and vendor services, products, and supply chains. (The Rev 4 High baseline previously included the SA-12 Supply Chain Protection control, but that is now incorporated into the SR family.) |
AT-2 (3) Social Engineering and Mining | Now requires that literacy training on social engineering and social mining be provided at least annually. |
IR-6 (3) Coordination with Supply Chain | Requires that incident information be reported to organizations involved in the supply chain or supply chain governance. While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP baselines in Rev 5. |
RA-5 (11) Public Disclosure Program | Requires a reporting channel for the public to notify the Cloud Service Provider (CSP) of vulnerabilities. |
SI-4 (18) Analyze Traffic and Covert Exfiltration | Requires outbound communications to be monitored at interior points to detect covert exfiltration of information. While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP Moderate baseline in Rev 5. |
FedRAMP Rev 5 Updated Requirements and Guidance
Control(s) | Update |
CA-7 | Requires CSOs authorized via the Agency path with more than one agency ATO to conduct joint monthly ConMon meetings with all agencies. |
SC-8, SC-8 (1), SC-13, and SC-28 | Requires encryption of ALL data-at-rest and data-in-transit using 140-2 FIPS-validated or NSA-approved cryptography. |
CM-6 Configuration Settings | Requires DoD Security Technical Implementation Guides (STIGs), although CIS Level 2 benchmarks are accepted if a STIG does not exist, marking a change from Rev 4 which only required CIS Level 1 benchmarks. NOTE: Per the Center for Internet Security, the Level 1 profile “is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.” However, the Level 2 Profile “is considered to be ‘defense in depth’ and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.” |
SC-7(b) | Requires subnet isolation for public and private system components. For more information see FedRAMPs subnets whitepaper. |
How to Manage Your Transition to FedRAMP Rev 5
If you were around for the FedRAMP Rev 3 to Rev 4 transition, it seems the same key concepts will be followed during the transition to Rev 5. The transition plan went into effect on May 30, 2023, with different guidance that will assist CSPs in various stages of FedRAMP in identifying requirements and actions for moving from Rev 4 to Rev 5:
For Cloud Service Providers in the “Planning Phase”
If You: |
|
What to Do: |
|
For Cloud Service Providers in the “Initiation Phase”
If You: |
|
What to Do: |
|
For Cloud Service Providers in the “Continuous Monitoring Phase”
If You: |
|
What to Do: |
Your transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment. If you underwent your most recent assessment between January 2, 2023, and July 3, 2023, you have a maximum of one year from the assessment date to finalize all implementation and testing tasks. If you have an annual assessment planned between July 3, 2023, and December 15, 2023, you’re required to finish all implementation and testing activities before your subsequent scheduled annual assessment.
|
Next Steps for Your FedRAMP Rev 5 Compliance
Overall, the transition from FedRAMP Rev 4 to Rev 5 represents a significant update to the program's security controls and assessment process, with changes that ensure your cloud services will meet the latest security standards and address emerging threats and vulnerabilities.
As you now understand, Rev 5 emphasizes the importance of customization and tailoring of security controls to address specific risks and threats to your information systems, an approach that aligns with FedRAMP's strategy of requiring CSPs to demonstrate a baseline of security controls while allowing further customization to meet the unique needs of individual federal agencies.
In the next few weeks, FedRAMP will release updated supporting documentation for the Rev 5 transition, including templates for the SSP, SAP, SAR, RAR, and POA&M for High, Moderate, Low, and Li-SaaS baselines.
Related Articles:
Why You Should Have a Whistleblower Policy for AI
Published: 10/07/2024
How to Maximize Alignment Between Security and Compliance Teams
Published: 10/04/2024
AI Legal Risks Could Increase Due to Loper Decision
Published: 10/03/2024
What ‘Passwordless’ Really Means for Privileged Access Management
Published: 10/03/2024