Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

FedRAMP Revision 5 Explained

FedRAMP

Given its standardized approach to assessing, authorizing, and continuously monitoring cloud services used by federal agencies, the Federal Risk and Authorization Management Program (FedRAMP) has been a critical component of the U.S. government's cloud security strategy since its inception in 2011. 

As anyone who has worked through the program before understands, FedRAMP leverages the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 guidelines for security and privacy controls for federal information systems. These controls are analyzed for applicability and parameters are tailored to cloud systems and have since been revised several times.

On May 30, 2023, FedRAMP released the latest Rev 5 of its security control baselines—Rev 5 both incorporates the latest updates from NIST SP 800-53 Revision 5 and aligns with FedRAMP's goal of ensuring that security controls are up to date with the latest security standards and practices to address the ever-changing threat landscape. 

As one of the most prolific Third-Party Assessment Organizations (3PAO) on the FedRAMP marketplace, we’re going to break down the notable changes within this revision, as well as the transition timeline for organizations currently in any phase of achieving FedRAMP compliance, so that you can pivot all the more easily.

What are the New FedRAMP Revision 5 Baselines?

In putting together Rev 5, FedRAMP utilized a Threat-Based Methodology to assess the effectiveness of each control in preventing, detecting, and responding to the techniques outlined in the MITRE ATT&CK Framework.

By leveraging threat scoring, FedRAMP was able to keep control additions to the baselines to a minimum—a high-level breakdown of the changes is below:

Baseline

New # of Controls

Rev 5 Changes

Tailored / Low Impact SaaS (LI-SaaS):

156

Added 31 additional controls, including new attest and assess controls.

Low:

156

Added 31 additional controls.

Moderate:

323

2 fewer controls than the Rev 4 moderate baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53.

High:

410

11 fewer controls than the Rev 4 high baseline, mainly due to several controls being incorporated into other existing controls in NIST 800-53.

Key Changes in FedRAMP Rev 5

Aside from changes to the control totals, Rev 5 introduces other significant changes for FedRAMP, including the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4. 

FedRAMP has also implemented a new mandate for Red Team exercises for Rev 5 assessments. In addition to the standard FedRAMP penetration test, all Rev 5 assessments must now include an annual Red Team exercise.

These Red Team exercises simulate attempts by real attackers to compromise the system and extend farther than a traditional penetration test to provide a more in-depth cybersecurity assessment. For more information about Red Teaming and how it differs from penetration testing, please see our articles here and here. Additional guidance for Red Team exercises is currently being developed by FedRAMP, but it’s important to note that this may considerably prolong the assessment timeline.

FedRAMP Rev 5 Updated Privacy Requirements

As part of increased emphasis on privacy, Rev 5 introduced updated requirements across multiple control families. Some highlights include: 

Requirement #

Change

AT-3

Role-based training now requires privacy training in addition to security training.

CM-3

Configuration Change Control and CM-4 - Impact Analysis now requires privacy impact analysis for configuration changes.

CP-9

System Backup now requires the backup of privacy-related system documentation.

PL-2

System Security and Privacy Plan now requires results of privacy risk assessment for systems processing Personally Identifiable Information (PII) to be provided as well as multiple other privacy-related updates.

 In addition, multiple SA controls now require ongoing privacy assessments as part of your SDLC as well as other additional privacy requirements that weren’t part of Rev 4. Similarly, multiple controls within the CA family now feature privacy elements, including mandated documentation and reporting of privacy requirements.

FedRAMP Rev 5 New Control Families and Enhancement

Notable changes to the control families and controls include:

Control Family

Addition/Enhancement

SR

Supply Chain Risk Management

*BRAND NEW*

Addresses more comprehensively the risks associated with the acquisition, development, and maintenance of information systems and components associated with third-party and vendor services, products, and supply chains.

(The Rev 4 High baseline previously included the SA-12 Supply Chain Protection control, but that is now incorporated into the SR family.)

AT-2 (3)

Social Engineering and Mining

Now requires that literacy training on social engineering and social mining be provided at least annually.

IR-6 (3)

Coordination with Supply Chain

Requires that incident information be reported to organizations involved in the supply chain or supply chain governance.

While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP baselines in Rev 5.

RA-5 (11)

Public Disclosure Program

Requires a reporting channel for the public to notify the Cloud Service Provider (CSP) of vulnerabilities.

SI-4 (18)

Analyze Traffic and Covert Exfiltration

Requires outbound communications to be monitored at interior points to detect covert exfiltration of information.

While this control enhancement is not new to the latest version of NIST 800-53, it has now been added to FedRAMP Moderate baseline in Rev 5.

 FedRAMP Rev 5 Updated Requirements and Guidance

Control(s)

Update

CA-8 (2)
Red Team Exercises

FedRAMP assessments for Moderate and High systems now require an annual Red Team exercise in addition to the previously required penetration test.

CA-7
Continuous Monitoring

Requires CSOs authorized via the Agency path with more than one agency ATO to conduct joint monthly ConMon meetings with all agencies.

SC-8, SC-8 (1), SC-13, and SC-28

Requires encryption of ALL data-at-rest and data-in-transit using 140-2 FIPS-validated or NSA-approved cryptography.

CM-6 Configuration Settings

Requires DoD Security Technical Implementation Guides (STIGs), although CIS Level 2 benchmarks are accepted if a STIG does not exist, marking a change from Rev 4 which only required CIS Level 1 benchmarks.

NOTE: Per the Center for Internet Security, the Level 1 profile “is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.” However, the Level 2 Profile “is considered to be ‘defense in depth’ and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.”

SC-7(b)
Boundary Protection

Requires subnet isolation for public and private system components.

For more information see FedRAMP's subnets whitepaper.

 

How to Manage Your Transition to FedRAMP Rev 5

If you were around for the FedRAMP Rev 3 to Rev 4 transition, it seems the same key concepts will be followed during the transition to Rev 5. The transition plan went into effect on May 30, 2023, with different guidance that will assist CSPs in various stages of FedRAMP in identifying requirements and actions for moving from Rev 4 to Rev 5:

 

For Cloud Service Providers in the “Planning Phase”

If You:

  • Have not yet partnered with an agency (i.e., the agency Authorization Official (AO) has not submitted a formal In Process Request) as of May 30, 2023;
  • Have a Joint Authorization Board (JAB) prioritization and have not begun an assessment after the release of the Rev 5 baseline and templates.

What to Do:

  • Implement and test the Rev 5 baseline
  • Use the updated FedRAMP templates when submitting a RAR/SAR package

For Cloud Service Providers in the “Initiation Phase”

If You:

  • Are currently prioritized for the JAB and are currently under contract with a 3PAO;
  • Have been evaluated by a 3PAO and are working towards submitting a P-ATO package;
  • Have initiated the JAB P-ATO review process as of May 30, 2023;
  • Have partnered with a federal agency and are currently under contract with a 3PAO;
  • Have been evaluated and have submitted the package for Agency ATO review as of May 30, 2023.

What to Do:

  • You can obtain an ATO/P-ATO using the Rev 4 baseline and templates, but you must identify the differences between your current Rev 4 implementation and the Rev 5 requirements by September 1, 2023, or before the issuance of an ATO/P-ATO—whichever is latest—and that includes:
    • Developing and documenting plans in the SSP and POA&M to address the Rev 4 vs Rev 5 delta; and
    • Posting those documents to the CSP’s package repository.
  • Your transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment (if applicable). Customers can use your schedules and CRMs to understand the impact of planned changes on their own implementation.

For Cloud Service Providers in the “Continuous Monitoring Phase”

If You:

  • Are currently in the continuous monitoring phase with a current FedRAMP authorization.

What to Do:

  • Determine the differences between your existing Rev 4 implementation and Rev 5 requirements by September 1, 2023, including:
    • Developing and documenting plans in the SSP and POA&M to address the Rev 4 vs Rev 5 delta; and
    • Posting those documents to the CSP’s package repository.
  • Revise your plans to reflect any changes based on the information used, such as shared controls by October 2, 2023.

Your transition plan will be assessed during the POA&M management process and/or as part of the upcoming annual assessment.

If you underwent your most recent assessment between January 2, 2023, and July 3, 2023, you have a maximum of one year from the assessment date to finalize all implementation and testing tasks.

If you have an annual assessment planned between July 3, 2023, and December 15, 2023, you’re required to finish all implementation and testing activities before your subsequent scheduled annual assessment.

Timeline Note: Because your transition/annual assessment will evaluate that year’s Rev 4 annual assessment control selection AND the conditional delta from Rev 4 to Rev 5, this Rev 5 transition/annual assessment will be wider in scope and may take longer. However, after this Rev 5 transition/annual assessment, you’ll resume the typical annual assessment under a Rev 5 control selection.

Next Steps for Your FedRAMP Rev 5 Compliance

Overall, the transition from FedRAMP Rev 4 to Rev 5 represents a significant update to the program's security controls and assessment process, with changes that ensure your cloud services will meet the latest security standards and address emerging threats and vulnerabilities.

As you now understand, Rev 5 emphasizes the importance of customization and tailoring of security controls to address specific risks and threats to your information systems, an approach that aligns with FedRAMP's strategy of requiring CSPs to demonstrate a baseline of security controls while allowing further customization to meet the unique needs of individual federal agencies.

In the next few weeks, FedRAMP will release updated supporting documentation for the Rev 5 transition, including templates for the SSP, SAP, SAR, RAR, and POA&M for High, Moderate, Low, and Li-SaaS baselines. But if you find you have any questions in the meantime, please feel free to contact us, as our team of experts is apprised of the details of this important update and is ready to help.

About Nate Waddell

Nate Waddell is a Senior Associate in Schellman’s FedRAMP practice and is based in the Washington, DC area. Prior to joining Schellman in 2022, Nate worked as a Security Consultant at a defense and cybersecurity contractor specializing in Federal Government and Department of Defense compliance programs for cloud service providers. Nate has over 8 years of experience within the Information Technology and Information Security fields comprised of serving clients in various industries, including audit, compliance, risk management, cybersecurity solution architecture and network engineering. His credentials include a Master of Science degree in Cybersecurity and Information Assurance as well as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), and GIAC Certified Incident Handler (GCIH) certifications. Nate is now focused primarily on FedRAMP assessments for organizations across various industries.