FedRAMP Rev. 5 Released

The Federal Risk and Authorization Management Program (FedRAMP) helps government agencies protect federal information while utilizing the power of cloud services without having to duplicate information security work. For cloud service providers (CSP), who offer products like infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), to do business with federal agencies they must be in compliance with FedRAMP standards.

In May 2023 FedRAMP approved and released the Rev. 5 baselines. The update was made to keep FedRAMP in line with the NIST 800-53 Rev. 5 release that went into effect in September 2021. The FedRAMP cloud services security requirements are based on NIST 800-53 security controls and 800-37 for risk management.

What’s New in FedRAMP Rev. 5

New controls have been added and others have been revised to bring FedRAMP more closely in line with NIST 800-53, including the new Supply Chain Risk Management control family. The control counts for moderate and high baseline authorizations were reduced slightly from Rev. 4. The number of low authorization controls increased, some of the additions include:

• AT-02(02): Insider threat training and awareness
• CA-08: Conduct penetration testing
• IA-02(02): Implement multi-factor authentication for access to non-privileged accounts
• IA-02(08): Implement replay-resistant authentication mechanisms for access to privileged accounts & non-privileged accounts
• PL-04(01): Social media and external site/application usage restrictions
• PS-09: Incorporate security and privacy roles and responsibilities into organizational position descriptions
• RA-03(01): Supply chain risk assessment
• SA-04(10): Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems
• SA-22: Implement the security design principle of accountability and traceability
• SC-08(01): Implement cryptographic mechanisms to prevent unauthorized disclosure of information; detect changes to information during transmission
• SR-01: Supply chain risk management policy and procedures (new control family)

FedRAMP released this Rev 4 to Rev 5 comparison summary to provide a detailed look at the control revisions for Rev.5.

Other key components of FedRAMP Rev. 5 include:

• More direct language and specific guidance included for many controls
• Privacy controls, and any other control outside of the FedRAMP baselines, remain at the agency’s discretion
• Program Management (PM) controls remain an agency responsibility and are therefore not included in the baselines
• Updated FedRAMP Open Security Controls Assessment Language (OSCAL) baseline profiles and resolve profile catalogs

Transition Timeline

FedRAMP created this Rev 5 Transition Guide to help organizations create a transition roadmap. The steps a CSP needs to follow depend on which of the following three phases of the authorization process it is in.

Planning Phase: CSPs fall into the Planning Phase if they meet the following criteria:

• Are applying to FedRAMP or are in the readiness review process.
• Have not partnered with a federal agency (i.e., the Agency AO has not submitted a formal In Process Request to the PMO) prior to May 30, 2023.
• Have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023.
• Have a JAB prioritization but have not begun an assessment after the release of the Rev. 5 baseline and templates.

Planning Phase CSPs need to take the following actions:

• Implement new Rev. 5 baseline and use updated FedRAMP templates.
• Test all new FedRAMP Rev. 5 controls before submitting a package for authorization.

Initiation Phase: CSPs fall into the Initiation Phase if they meet the following criteria:

• CSPs that are currently prioritized for the JAB and are currently under contract with a 3PAO or in 3PAO assessment, have been assessed and are working toward P-ATO package submission, or have kicked off the JABP-ATO review process prior to May 30, 2023
• CSPs who have partnered with a federal agency and are currently under contract with a 3PAO, are undergoing a 3PAO assessment, or have been assessed and have submitted the package for Agency ATO review prior to May 30, 2023

Initiation Phase CSPs need to take the following actions:

• Complete ATO or JAB P-ATO using the Rev. 4 FedRAMP baseline and templates
• By September 1, 2023, or prior to the issuance of an ATO or JAB P-ATO, whichever is latest, identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements
  • Develop plans (including implementation and testing schedule(s)) to address the deltaDocument plans in the SSP and POA&M (and post them to the CSP’s package repository)
  • Update plans based on leveraged CSP information (e.g. shared controls)
    • Customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans
• During the POA&M management process and/or next Annual Assessment (as applicable), assess the implementation of the Rev. 4 to Rev. 5 transition plan

Continuous Monitoring Phase: CSPs who are in continuous monitoring with a current FedRAMP authorization.

Continuous Monitoring Phase CSPs need to take the following actions:

• By September 1, 2023, identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements
  • Develop plans (including implementation and testing schedule(s)) to address the delta
  • Document those plans in the SSP and POA&M (and post them to the CSP’s package repository)
• By October 2, 2023, update plans based on leveraged CSP information (e.g. shared controls)
  • Customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans
• During the POA&M management process and/or next annual assessment (as applicable), assess the implementation of the steps above
  • CSPs with their last assessment completed between January 2, 2023, and July 3, 2023, have at maximum one year from the date of their last assessment to complete all implementation and testing activities
  • CSPs with an annual assessment scheduled between July 3, 2023, and December 15, 2023, will complete all implementation and testing activities no later than their next scheduled annual assessment in 2023/24

CompliancePoint has a suite of cybersecurity services, backed by experienced professionals, that can address all your NIST, FISMA, and FedRAMP needs. Contact us at connect@compliancepoint.com to learn more about how we can help your organization.