NIST Rev 5 – What it Means for FedRAMP

Since its inception, FedRAMP has used the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) procedures and guidelines as the foundation for providing standardized security requirements and control definitions for cloud service providers wanting to serve the federal market. In fact, FISMA, RMF, FedRAMP, OSCAL, and SCF all use NIST as a gold-standard foundation for standardized compliance guidelines. To align with the updates in NIST’s final release of Rev. 5 (which was drafted in 2020 and open to public comment through October 1 of 2021,) FedRAMP has re-established their control baselines accordingly.

In December of 2021, FedRAMP released their new Rev 5 baselines, re-aligning with the NIST Rev. 5 update. The new baselines are a result of close collaboration between the FedRAMP PMO and the Joint Authorization Board (JAB). The revised baseline controls have been carefully analyzed to mature the depth and effectiveness of cloud-service cybersecurity risk mitigation approaches. The new baselines will better leverage emerging and best-in-class cybersecurity methodologies and technologies to address threats and vulnerabilities, while at the same time answer the rapidly changing cloud-enabled threat landscape. 

In addition, the strategic threat-based approach to control selection and definition for Rev. 5 baselines will result in a more outcomes-based authorization process that focuses on risk mitigation specific to each Cloud Service Provider (CSP).

Significant Changes

Unlike the last NIST revision nearly 10 years ago (going from Rev. 3 to Rev. 4), the changes included in Rev. 5 involve a more significant overhaul to the catalog and its framework. In addition to removing “Federal” from the title to indicate that the controls more generally applicable, changes include the incorporation of new control families and privacy controls, outcomes-based control definitions, and a threat-based analysis of each control. The changes aimed to define new baselines with smarter controls rather than a larger number of controls. Some of the main changes are as follows:

• Better Defined, Outcome-Based Controls – Updated language in many of the control statements better describes the goals of each control, making them easier to interpret and appropriately implement for both government and non-government organizations. This approach provides more leeway in who or what system is responsible for a control and at the same time focuses on achieving the desired outcome of the stated control. These changes will help broaden the types of operations that can reasonably meet the baseline standards, which is critical as more pressure is being put on commercial operations to meet compliance standards once reserved mainly for government.
  
• Removal of Prioritization Guidance – While Rev. 4 provided guidance as to the priority of controls within a baseline, Rev. 5 no longer employs this concept. This means that each organization has the flexibility to implement and manage the baseline controls in whatever priority order makes the most sense for their organization and the unique threat landscape within which it is operating. 
  
• Focus on Threat-Based Intelligence and Methodologies – Controls that incorporate threat-based intelligence are baked into Rev. 5 baselines, as each control was assessed against a threat framework. FedRAMP followed the MITRE ATT&CK Framework version 8.2 to apply a threat-based methodology to analyze and limit the number of controls FedRAMP added above and beyond the NIST Rev. 5 baseline. At the same time, this approach ensures the effectiveness of each control to specifically mitigate risk.
  
• Generalization to Improve Applicability across Types of Organizations – To make it easier to apply Rev. 5 NIST guidelines across different types of organizations and disparate types of environments, NIST introduced a supplementary publication entitled NIST SP 800-53B. This publication defines the three baselines (low-impact, medium-impact and high-impact), which used to be incorporated into the main 800-53 controls catalog, and provides additional implementation guidance to help users interpret and implement the controls in a way that makes sense for their specific technologies and environments.

• Privacy Focus/New Family – In a move that helps normalize best-practice cybersecurity controls across industries, including healthcare applications, Rev. 5 expands implementation expectations with regard to privacy controls. With the new Privacy Baseline and a new Personally Identifiable Information Processing and Transparency control family, privacy is no longer relegated to an appendix (Appendix J in Rev. 4), but instead is part of the main catalog.
  
• Supply Chain Focus/New Family – A second new family, Supply Chain Risk Management, increases focus on supply chain security, reflecting a recent focus on risks associated with critical infrastructure and government supply chains.
  
• Many New and Improved Controls – While it is true that there are many new controls (66), and 2 new control families  (Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management), there were 202 new control enhancements, 131 new parameters to existing controls, 90 controls that were moved/incorporated into other controls, as well as 92 previously withdrawn controls. This reinforces that changes made in Rev. 5 focus on providing guidance based smarter cybersecurity operations rather than simply layering on additional controls. 

Changes Apply to All Baselines

Both NIST and FedRAMP have low, moderate and high baselines. Based on Federal Information Processing Standards (FIPS) 199 which help categorize federal information and information systems, the baseline required for a system is based on an assessment of the system’s data requirements related to confidentiality, integrity, and availability. All baselines have a new set of controls.

• Low Baseline – For systems with data intended for public use. Data loss wouldn’t compromise an organization’s mission, safety, finances, or reputation. These are generally low risk, non mission-critical systems that don’t collect important data.
• Moderate Baseline – For systems that include data that’s not available to the public, such as personally identifiable information. A breach could have a serious impact on an organization’s operations.
• High Baseline – For systems that include sensitive federal information, such as law enforcement, emergency services, and healthcare data. Breaches would likely be catastrophic – potentially shutting down operations, resulting in financial ruin, or posing a threat to intellectual property or human life. High controls largely aim to reduce the chance of human error, and therefore rely more heavily on automated processes.

NIST to FedRAMP Baseline Controls Comparison

Based on NIST’s extensive control revisions, as well as FedRAMP’s threat-mitigation approach to controls analysis/selection, FedRAMP only added a limited number of controls to the new NIST baselines to customize their baselines for federal as reflected in the following table.  

FedRAMP 4 to FedRAMP 5 Baseline Comparison

The number of controls in two of the three FedRAMP baselines (moderate and high) actually decreased in number from the current version as indicated in the table below. It should be noted that the slight reduction in number of controls for these baselines does not necessarily translate to less work, as the new baseline controls are arguably more mature and robust in their definitions, parameters, and expectations of outcomes.

What will Transition/Adoption Look Like for FedRAMP CSPs?

Once FedRAMP reviews and incorporates public comments (public commenting period closed April 1, 2022), it will finalize and publish Rev. 5. In addition, FedRAMP will provide documentation, implementation guidelines, and reasonable timeframes to govern compliance, providing CSPs with existing ATOs and in-process ATOs the information they need to comply. 

For CSPs just beginning their FedRAMP journey, Rev. 5 controls can be considered from the onset of the journey once the final version is announced and published. For existing FedRAMP ATOs, CSPs will be given time to analyze the new baseline as part of a gap analysis, implement new and enhanced controls along with documentation, and have those controls assessed by their 3PAO. Aligning the 3PAO assessment for compliance with the Rev. 5 standards will likely be doable during a CSPs already scheduled annual re-assessment, meaning there won’t necessarily be a need for an extra mid-year assessment. And for CSPs in the middle of a FedRAMP journey, FedRAMP has historically not asked providers to change versions mid-course, meaning it is likely that CSPs would be allowed to complete the process and obtain an ATO based on Rev. 4 criteria, then move to Rev. 5 during the following annual assessment.

OSCAL – Enabling and Evolving Compliance Automation

In many ways, the technology disruptions associated with automation tools and the availability of Open Security Controls Assessment Language (OSCAL) have been instrumental in enabling some of the advancements from Rev. 4 to Rev. 5. In addition to the documented baseline updates for Rev. 5, OSCAL versions of the new baselines will also be made available. This is good news for organizations that already have or are looking to leverage automation to speed up and standardize the end-to-end authorization process. OSCAL can, and in some cases already has been used for FedRAMP and other compliance framework baselines for activities such as controls interpretation and implementation, architecture and boundary definitions, compliance self-assessments, documentation package creation, POA&M management and automation, and 3PAO assessment collaboration. 

About stackArmor

stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services.