The FedRAMP Program Management Office (PMO) at the General Services Administration (GSA) released the updated controls baselines based on NIST SP 800-53 Rev 5. The FedRAMP Security Assessment Framework (SAF) is based on the National Institute of Standards and Technology’s (NIST) Special Publication [SP] 800-53 Rev 4. FedRAMP is expected to migrate to NIST SP 800-53 Rev 5 after a period of review and comments.

Proposed Updates to FedRAMP Controls based on NIST SP 800-53 Rev 5
There are several updates to the controls framework including the incorporation of threat risk scoring. FedRAMP is using a threat-based methodology as outlined in the MITRE ATT&CK Framework. FedRAMP published their intent to use threat-based scoring to provide additional prioritization of risks and need for the right types of controls.

A cursory review of the DRAFT controls baselines shows the revised control counts for the various baselines:
• Low baseline – 150 controls in the new baseline versus 125 controls in the current baseline
• Moderate baseline – 304 controls versus 325 controls in the current baseline
• High baseline – 392 controls versus 421 controls in the current baseline
The comments to the FedRAMP PMO are due by 4/1/2022.

It is important for Cloud service providers seeking FedRAMP ATO’s to stay abreast of the 4 step transition plan outlined by the FedRAMP PMO.

Step 1: Develop draft FedRAMP Baselines from NIST SP 800-53 Rev5 Updates (Current State)

Step 2: Release draft FedRAMP Baselines for Public Comment

Step 3: Update FedRAMP Baselines and Documentation Based on Public Comments

Step 4: Release Final Rev5 FedRAMP Baseline Documentation Updates, and CSP Implementation Plan

We are currently on Step 2 based on the latest announcement. The expectation is that the updated FedRAMP SSP templates and guides will likely become available by Q3 2022 and that the FedRAMP PMO intends to provide atleast 6 months for transition to the new documents.

The stackArmor FedRAMP compliance team will continue to provide updates on this topic. Do you have any questions about FedRAMP ATO requirements? Please contact us at solutions at stackArmor dot com to schedule a meeting with a FedRAMP ATO specialist if you have any questions and want to learn more.