Since its inception, FedRAMP has used the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) procedures and guidelines as the foundation for providing standardized security requirements and control definitions for cloud service providers wanting to serve the federal market. In fact, FISMA, RMF, FedRAMP, OSCAL, and SCF all use NIST as a gold-standard foundation for standardized compliance guidelines. To align with the updates in NIST’s final release of Rev. 5 (which was drafted in 2020 and open to public comment through October 1 of 2021,) FedRAMP has re-established their control baselines accordingly.
In December of 2021, FedRAMP released their new Rev 5 baselines, re-aligning with the NIST Rev. 5 update. The new baselines are a result of close collaboration between the FedRAMP PMO and the Joint Authorization Board (JAB). The revised baseline controls have been carefully analyzed to mature the depth and effectiveness of cloud-service cybersecurity risk mitigation approaches. The new baselines will better leverage emerging and best-in-class cybersecurity methodologies and technologies to address threats and vulnerabilities, while at the same time answer the rapidly changing cloud-enabled threat landscape.
In addition, the strategic threat-based approach to control selection and definition for Rev. 5 baselines will result in a more outcomes-based authorization process that focuses on risk mitigation specific to each Cloud Service Provider (CSP).
Significant Changes
Unlike the last NIST revision nearly 10 years ago (going from Rev. 3 to Rev. 4), the changes included in Rev. 5 involve a more significant overhaul to the catalog and its framework. In addition to removing “Federal” from the title to indicate that the controls more generally applicable, changes include the incorporation of new control families and privacy controls, outcomes-based control definitions, and a threat-based analysis of each control. The changes aimed to define new baselines with smarter controls rather than a larger number of controls. Some of the main changes are as follows:
Changes Apply to All Baselines
Both NIST and FedRAMP have low, moderate and high baselines. Based on Federal Information Processing Standards (FIPS) 199 which help categorize federal information and information systems, the baseline required for a system is based on an assessment of the system’s data requirements related to confidentiality, integrity, and availability. All baselines have a new set of controls.
NIST to FedRAMP Baseline Controls Comparison
Based on NIST’s extensive control revisions, as well as FedRAMP’s threat-mitigation approach to controls analysis/selection, FedRAMP only added a limited number of controls to the new NIST baselines to customize their baselines for federal as reflected in the following table.
FedRAMP 4 to FedRAMP 5 Baseline Comparison
The number of controls in two of the three FedRAMP baselines (moderate and high) actually decreased in number from the current version as indicated in the table below. It should be noted that the slight reduction in number of controls for these baselines does not necessarily translate to less work, as the new baseline controls are arguably more mature and robust in their definitions, parameters, and expectations of outcomes.
What will Transition/Adoption Look Like for FedRAMP CSPs?
Once FedRAMP reviews and incorporates public comments (public commenting period closed April 1, 2022), it will finalize and publish Rev. 5. In addition, FedRAMP will provide documentation, implementation guidelines, and reasonable timeframes to govern compliance, providing CSPs with existing ATOs and in-process ATOs the information they need to comply.
For CSPs just beginning their FedRAMP journey, Rev. 5 controls can be considered from the onset of the journey once the final version is announced and published. For existing FedRAMP ATOs, CSPs will be given time to analyze the new baseline as part of a gap analysis, implement new and enhanced controls along with documentation, and have those controls assessed by their 3PAO. Aligning the 3PAO assessment for compliance with the Rev. 5 standards will likely be doable during a CSPs already scheduled annual re-assessment, meaning there won’t necessarily be a need for an extra mid-year assessment. And for CSPs in the middle of a FedRAMP journey, FedRAMP has historically not asked providers to change versions mid-course, meaning it is likely that CSPs would be allowed to complete the process and obtain an ATO based on Rev. 4 criteria, then move to Rev. 5 during the following annual assessment.
OSCAL – Enabling and Evolving Compliance Automation
In many ways, the technology disruptions associated with automation tools and the availability of Open Security Controls Assessment Language (OSCAL) have been instrumental in enabling some of the advancements from Rev. 4 to Rev. 5. In addition to the documented baseline updates for Rev. 5, OSCAL versions of the new baselines will also be made available. This is good news for organizations that already have or are looking to leverage automation to speed up and standardize the end-to-end authorization process. OSCAL can, and in some cases already has been used for FedRAMP and other compliance framework baselines for activities such as controls interpretation and implementation, architecture and boundary definitions, compliance self-assessments, documentation package creation, POA&M management and automation, and 3PAO assessment collaboration.
About stackArmor
stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services.