In the words of Winston Churchill, “To improve is to change; to be perfect is to change often.” While it’s likely that collectively as business owners, policy drivers, and industry experts, we will never absolutely perfect the task of shielding government organizations and federal agencies from experiencing some sort of cyber vulnerability, we can certainly keep evolving the approach to protect them the best we can. And if introducing updates often is the path, then FedRAMP is on track. Coming off of significant milestones such as hitting its 300th ATO and witnessing a 50% increase in the number of CSOs authorized at the High impact level, the program is already announcing other updates and launching new initiatives. So, let’s catch up with what is going on in the world of FedRAMP.
The FedRAMP Joint Authorization Board Approves Rev. 5 Baselines
We begin with the approval of the FedRAMP Rev. 5 baselines. As FedRAMP explains at its blog, the baselines were updated in response to the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 5 Catalog of Security and Privacy Controls for Information Systems and Organizations and SP 800-53B Control Baselines for Information Systems and Organizations. The program’s approval of the revisions comes with a Cloud Service Provider (CSP) Transition Plan. The plan outlines the differences introduced by Rev. 5., including its closer alignment with NIST and guidance for controls.
FedRAMP plans to release corresponding training forums this summer. In the meantime, you can read all about what CSPs can expect from the move to Rev. 5, what next steps entail, and how stackArmor can help in our detailed post on the update.
Additionally, the FedRAMP Program Management Office recently released a new version of its Obligations and Compliance Standards. Intended for third party assessors, the document details requirements around foreign interest and reporting reviews to stakeholders. This change lines up with similar cybersecurity related efforts such as the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program.
Federal Secure Cloud Advisory Committee Welcomes Its First Cohort
News of the Rev. 5 baselines is not the only announcement impacting FedRAMP. The General Services Administration (GSA) has officially gathered the inaugural class of Federal Secure Cloud Advisory Committee (FSCAC) members. The committee will consist of 15 representatives from the public and private sectors that will be in charge of presenting recommendations to the GSA administrator and FedRAMP Board. As GSA Administrator Robin Carnahan stated in a press release, “Technology changes fast, so ensuring the Federal government, and especially FedRAMP, can quickly respond to that constantly evolving product and threat landscape is critical.”
This establishment comes as the Government Accountability Office (GAO) reports that some federal organizations are falling short of meeting FedRAMP rules. After auditing the departments of Treasury, Labor, Homeland Security and Agriculture, FedScoop reports that GAO found that their systems did not fully check all of the FedRAMP mandate boxes.
Sources:
- “Rev. 5 Baselines Have Been Approved and Released!” – FedRAMP, FedRAMP Blog
https://www.fedramp.gov/blog/2023-05-30-rev-5-baselines-have-been-approved-and-released/ - “Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors” – Daniel Alvarado and Townsend Bourne, JD Supra
https://www.jdsupra.com/legalnews/reassessed-fedramp-releases-revised-1029065/ - “GSA Appoints Inaugural Members to Federal Secure Cloud Advisory Committee” – Grace Dille, MeriTalk
https://www.meritalk.com/articles/gsa-appoints-inaugural-members-to-federal-secure-cloud-advisory-committee/ - “Agencies fall short implementing FedRAMP requirements for cloud vendors, GAO finds” – Billy Mitchell, FedScoop
https://fedscoop.com/agencies-fall-short-implementing-fedramp-requirements-for-cloud-vendors-gao-finds/
