FedRAMP Releases Updates to ATO Requirements based on NIST SP 800-53 Rev 5 for Public Review

December 22, 2021
stackArmor

The FedRAMP Program Management Office (PMO) at the General Services Administration (GSA) released the updated controls baselines based on NIST SP 800-53 Rev 5. The FedRAMP Security Assessment Framework (SAF) is based on the National Institute of Standards and Technology’s (NIST) Special Publication [SP] 800-53 Rev 4. FedRAMP is expected to migrate to NIST SP 800-53 Rev 5 after a period of review and comments.

Proposed Updates to FedRAMP Controls based on NIST SP 800-53 Rev 5
There are several updates to the controls framework including the incorporation of threat risk scoring. FedRAMP is using a threat-based methodology as outlined in the MITRE ATT&CK Framework. FedRAMP published their intent to use threat-based scoring to provide additional prioritization of risks and need for the right types of controls.

A cursory review of the DRAFT controls baselines shows the revised control counts for the various baselines:
• Low baseline – 150 controls in the new baseline versus 125 controls in the current baseline
• Moderate baseline – 304 controls versus 325 controls in the current baseline
• High baseline – 392 controls versus 421 controls in the current baseline
The comments to the FedRAMP PMO are due by 4/1/2022.

It is important for Cloud service providers seeking FedRAMP ATO’s to stay abreast of the 4 step transition plan outlined by the FedRAMP PMO.

Step 1: Develop draft FedRAMP Baselines from NIST SP 800-53 Rev5 Updates (Current State)

Step 2: Release draft FedRAMP Baselines for Public Comment

Step 3: Update FedRAMP Baselines and Documentation Based on Public Comments

Step 4: Release Final Rev5 FedRAMP Baseline Documentation Updates, and CSP Implementation Plan

We are currently on Step 2 based on the latest announcement. The expectation is that the updated FedRAMP SSP templates and guides will likely become available by Q3 2022 and that the FedRAMP PMO intends to provide atleast 6 months for transition to the new documents.

The stackArmor FedRAMP compliance team will continue to provide updates on this topic. Do you have any questions about FedRAMP ATO requirements? Please contact us at solutions at stackArmor dot com to schedule a meeting with a FedRAMP ATO specialist if you have any questions and want to learn more.

MOST RECENT

Continuous ATO: Going from Authority to Operate (ATO) to Ability to Respond

This white paper explores best practices designed to help reduce the time and cost of ATOs while improving access to risk data using process automation.

Is it time to enforce an Authority-to-Operate (ATO) for Healthcare Organizations?

The Change Healthcare security breach has impacted over 94% of hospitals as reported by the American Health Association (AHA). A cascading set of events was

GSA Small Business Office and FedRAMP PMO looking for Small Business Cloud Solutions

General Services Administration (GSA), Office of Small and Disadvantaged Business Utilization (OSDBU) and The FedRAMP PMO are hosting a webinar on March 21, 2024 to

stackArmor provides FedRAMP, FISMA/RMF, and CMMC/DFARS compliance acceleration services on Amazon Web Services (AWS). stackArmor’s ThreatAlert® Security Platform reduces the time and cost of an ATO by 40%. We serve enterprise customers in Defense, Aerospace, Space, Government, and Healthcare markets as well as ISV’s looking to offer cloud solutions for Government.

Blog

Meeting M-24-10 Deadlines: Can We Adapt FIPS199 to Classify AI Risk?

Security Analyst

Continuous ATO: Going from Authority to Operate (ATO) to Ability to Respond

Washington DC Office:

8300 Greensboro Drive, Suite 990, McLean VA 22102

Form