As of May 30, 2023, FedRAMP has officially approved and adopted the new Rev. 5 baselines – aligning with the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) Rev. 5 baselines that went into effect in September of 2021. Cloud Service Providers (CSPs) with existing authorizations, those who are mid-process, and those looking to achieve a FedRAMP authorization for the first time will all be required to align with Rev. 5 baselines.
What Changes Can CSPs Expect?
The new baselines include both new controls and required changes to a number of existing management, operational and technical controls across multiple control families. While FedRAMP has provided a complete workbook outlining the exact changes for each control in the new baselines, general changes include:
- Control language that is more directive and outcomes-centric throughout;
- A new Supply Chain Risk Management (SR) control family (taking the total number of families from 17 to 18) – whose policies and procedures will need to be written and controls implemented and accounted for in the System Security Plan (SSP);
- Privacy controls remain at the agency’s discretion, and if required are now included in a new NIST control family – Personally Identifiable Information Processing and Transparency (PT);
- New requirements for policy and procedure documentation management – requiring organizations to identify a documentation management official and categorize policies and procedures (as organization-level, mission or business process level, or system level);
- Many new enhancements and updated parameters for existing controls; and
- Updated documentation templates as well as FedRAMP OSCAL baseline profiles and resolve profile catalogs.
Additionally, the number of controls for all baselines has changed. Controls in scope for both moderate and high baseline authorizations are fewer in number than for Rev. 4, while the number of controls included in the FedRAMP low authorization is higher. The change in these numbers reflects efforts to clarify and streamline security controls and doesn’t necessarily translate to a reduction in the overall workload.
FedRAMP Rev. 4 to Rev. 5 Baselines by Number of Controls
Next Steps for Cloud Service Providers
FedRAMP has provided a 16-page transition plan to help guide CSPs through the next few months and map out the pathway to Rev. 5. The plan presents general timelines and key milestones for CSPs based on their status in the FedRAMP authorization process as of May 30, 2023. Per the transition plan – CSPs will follow the specific transition steps associated with one of the following 3 phases.
Planning Phase | includes CSPs that:
- Are applying to FedRAMP or are in the readiness review process.
- Have not partnered with a federal agency (i.e., the Agency AO has not submitted a formal In Process Request to the PMO) prior to May 30, 2023.
- Have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023.
- Have a JAB prioritization but have not begun an assessment after release of the Rev. 5 baseline and templates.
Initiation Phase | includes CSPs that:
- Are currently prioritized by the JAB and are under contract/mid-assessment or have completed an assessment with a 3PAO or have kicked off the JAB P-ATO process prior to May 30, 2023.
- Have a federal Agency sponsor (the Agency AO has submitted a formal In Process Request to the PMO) and are under contract/mid-assessment or have completed an assessment with a 3PAO or have submitted a package for Agency ATO review prior to May 20, 2023.
Continuous Monitoring Phase | includes CSPs that:
- Have a current FedRAMP authorization and are in continuous monitoring.
CSP Transition Processes by Phase
CSPs in Planning Phase
-
- Implement new Rev. 5 baseline and use updated FedRAMP templates.
- Test all new Rev. 5 controls before submitting a package for authorization
CSPs in Initiation Phase
- Complete ATO or JAB P-ATO using the Rev. 4 FedRAMP baseline and templates.
- By September 1, 2023 or prior to the issuance of an ATO or JAB P-ATO, whichever is latest, identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements.
- Develop plans (including implementation and testing schedule(s)) to address the delta.
- Document plans in the SSP and POA&M (and post them to the CSP’s package repository).
- Update plans based on leveraged CSP information (e.g. shared controls).
- Customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans.
- During the POA&M management process and/or next Annual Assessment (as applicable), assess the implementation of the Rev. 4 to Rev. 5 transition plan.
CSPs in Continuous Monitoring Phase
- By September 1, 2023, identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements.
- Develop plans (including implementation and testing schedule(s)) to address the delta.
- Document those plans in the SSP and POA&M (and post them to the CSP’s package repository).
- By October 2, 2023, update plans based on leveraged CSP information (e.g. shared controls).
- Customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans.
- During the POA&M management process and/or next annual assessment (as applicable), assess the implementation of the steps above.
- CSPs with their last assessment completed between January 2, 2023 and July 3, 2023, have at maximum one year from the date of their last assessment to complete all implementation and testing activities.
- CSPs with an annual assessment scheduled between July 3, 2023 and December 15, 2023 will complete all implementation and testing activities no later than their next scheduled annual assessment in 2023/24.
Implementation of the Rev. 5 controls must be completed by the next Annual Assessment to support testing of the controls implementation.
In support of the transition steps, look for FedRAMP to announce training and education forums that support the transition to Rev. 5. In addition, FedRAMP will be releasing a number of updated artifacts and documentation templates over the summer, including the following:
- FedRAMP OSCAL Baseline Profiles and Resolve Profile Catalogs
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M) for High, Moderate, Low, and Li-SaaS baselines
- Corresponding FedRAMP OSCAL SSP, SAP, SAR, and POA&M guides
stackArmor is Here to Help
Interpreting, planning for, and implementing all required changes associated with Rev. 5 can be daunting and demand additional resources that stretch beyond those of current CSP teams. And while some CSPs may be ahead of the curve and have their path to Rev. 5 mapped out and resourced, the majority are likely just getting familiar with Rev. 5. That’s where StackArmor can help. Our team of experienced compliance experts can support your organization to identify and plan for the transition as well as helping to shore up gaps in a CSP’s compliance profile.
About stackArmor
stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services.