The Federal Risk and Authorization Management Program (FedRAMP) has recently approved new Revision 5 (Rev 5) baselines [1] [2], which align with NIST’s SP 800-53 Rev 5 and SP 800-53B Control Baselines [2]. These changes include updated security controls [1], documentation [1] [2], and templates [1] [2], as well as the addition of a new control family for Supply Chain Risk Management [1].
Description
FedRAMP has introduced several updates in its Revision 5 baselines. These updates encompass various aspects such as security controls, documentation [1] [2], templates [1] [2], privacy considerations [1], and control totals [1]. Cloud service providers (CSPs) are required to update their documentation using the new templates provided by the FedRAMP project management office [2]. The scope of the assessment will depend on the specific controls that need testing [2], and FedRAMP provides worksheets and information to aid in the control selection process [2]. Assessors will follow the same processes and procedures for a Rev 5 assessment [2], and testing will require the use of the Rev 5 Test Case templates [2]. CSPs must complete their security assessment [2], define processes and procedures [2], and document the results [2]. Additionally, a Plan of Actions and Milestones (POA&M) must be completed [2], addressing residual risks and known risks identified by the third-party assessment organization [1] [2]. To assist with the transition process [2], GRC tools are available [2], and FedRAMP offers training and educational forums for additional support [2]. CSPs can transition to FedRAMP Rev 5 by following the phases outlined in the transition guide and determining the scope of their assessment [1].
Conclusion
The approval of FedRAMP Revision 5 baselines brings significant implications for cloud service providers. They must ensure their documentation is updated and adhere to the new security controls and templates. The inclusion of a control family for Supply Chain Risk Management highlights the program’s commitment to addressing evolving threats. Completing the security assessment [1] [2], defining processes and procedures [2], and addressing residual and known risks are crucial steps in achieving compliance. The availability of GRC tools and support from FedRAMP through training and educational forums further facilitate the transition process. By following the outlined phases and determining the scope of their assessment, CSPs can successfully transition to FedRAMP Rev 5 and enhance their security posture.
References
[1] https://www.threatshub.org/blog/fedramp-rev-5-how-cloud-service-providers-can-prepare/
[2] https://www.darkreading.com/risk/fedramp-rev-5-how-cloud-service-providers-can-prepare
