FedRAMP Rev. 5: How Cloud Service Providers Can Prepare

On May 30, 2023, the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board approved new Revision 5 (Rev. 5) baselines. The new baselines align with the National Institute of Standards and Technology’s (NIST) “Special Publication (SP) 800-53 Rev. 5” and “SP 800-53B Control Baselines for Information Systems and Organizations.”

This article covers high-level information that cloud service providers (CSPs) need to know to prepare for their transition to FedRAMP Rev. 5, as documented in the “FedRAMP Baselines Rev. 5 Transition Guide.”

What’s Changing in FedRAMP?

The FedRAMP baseline security controls, documentation, and templates were updated to reflect changes in NIST SP 800-53, Rev. 5. This means the two programs will better align with each other.

FedRAMP has also added guidance for many of its controls. There is a new control family, Supply Chain Risk Management. The baselines also require a higher configuration management level of diligence and increased focus on privacy and customization for agency requirements.

Along with these changes, FedRAMP includes “integration of new privacy considerations, notable control families, and guidance not featured in Rev. 4,” as well as “changes to the control totals,” according to IT attestation and compliance firm Schellman.

However, program management (PM) controls remain an agency responsibility and are not reflected in the updated baselines.

How CSPs Can Transition to FedRAMP Rev. 5

Your transition timeline will vary depending on your organization. To begin, identify your current FedRAMP authorization phase. There are three phases outlined in the Rev. 5 transition guide: planning, initiation, and continuous monitoring. Each phase has detailed instructions on the next steps, including an overall timeline; refer to the “Transition Guide” for further information.

Develop a Schedule

To transition to Rev. 5, you need to develop a schedule demonstrating your transition plan, called a Plan of Action and Milestones (POA&M). Major milestone activities listed in the “Transition Guide” are:

  1. CSP: Complete a new Rev. 5 System Security Plan (SSP) and appendices (which, along with the other documents listed below, can be found on the FedRAMP Documents and Templates page).
  2. Assessor: Complete the Security Assessment Plan (SAP) template.
  3. CSP and Assessor: Submit the SSP and SAP to your FedRAMP Joint Authorization Board (JAB) Point of Contact (POC) or agency authorizing official (AO) for approval.
  4. Assessor: Conduct testing.
  5. Assessor: Complete the Security Assessment Report (SAR) template.
  6. CSP and Assessor: Submit the SAR, POA&M, attachments, and updated SSP to the FedRAMP JAB POC or agency AO.

Update Your Documentation

Included in Rev. 5 are new, updated templates for the SSP and attachments, provided by the FedRAMP project management office (PMO). You must complete a new authorization package based on the updated templates.

Determine the Scope of Your Assessment

The scope of your assessment will depend on your determination of specific FedRAMP NIST SP 800-53 Rev. 5 controls that require an assessor to test. According to the “Transition Guide,” all new or modified requirements must be tested and, depending on CSP-specific implementations and continuous monitoring activities, other control testing may be required.

Control selection process: FedRAMP provides in-depth worksheets and information for the control selection process. The main template, the “FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template,” is categorized into High, Moderate, and Low — just like FedRAMP impact levels.

The template, which comes in the form of a spreadsheet, contains four worksheets: Rev. 5 List of Controls, Conditional Controls, CSP-Specific Controls, and Inherited Controls. You can find more information on these worksheets and how to use them in the “Transition Guide.”

Complete the Security Assessment

While there are quite a few differences between FedRAMP Rev. 4 and Rev. 5, assessors will perform the same processes and procedures for a FedRAMP Rev. 5 assessment. The scope of the assessment will differ based on the organization. Testing will require using the FedRAMP Rev. 5 Test Case templates, which can be found in Section 6, FedRAMP Rev. 5 Test Cases (available on the FedRAMP templates page), as well as the requirements outlined in the “Continuous Monitoring Strategy Guide.”

To complete your security assessment, you must: define your processes, procedures, and methodologies for testing in your SAP; define the processes, procedures, and methodologies used in testing as required and document the results of the tests in your SAR; and have your assessor prepare and submit the relevant FedRAMP Security Assessment Test Cases as part of the SAR.

Complete the POA&M

To complete your POA&M, you will need to use the “FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide.” All residual risks listed in your SAR will need a defined plan for remediation. In the POA&M, you also need to include known risks identified by the third-party assessment organization (3PAO) associated with your platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) systems.

Learn More

Tackling FedRAMP Rev. 5 can be overwhelming, but there are governance, risk, and compliance (GRC) tools available to help you get a full repository of your controls, track your progress against the framework, and streamline assessments using automated evidence collection. FedRAMP also provides training and educational forums specific to the Rev. 5 updates and transition process for those looking for additional support. You can also join the FedRAMP subscriber list to receive program updates, important reminders, blog announcements, and the monthly PMO Newsletter to stay up to date on the latest FedRAMP changes.

About the Author

Kayne McGladrey

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member. He focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

Read More HERE

Leave a Reply