The Federal Risk and Authorization Management Program (FedRAMP) is a cornerstone of cloud security, deeply rooted in the NIST 800-53 rev. 5 changes. These guidelines provide a framework for security and privacy controls tailored to federal information systems.
Over time, FedRAMP has continually evolved to adapt to the ever-changing cybersecurity landscape. The most recent transformation, FedRAMP Revision 5, represents an updated approach to aligning security controls with the latest industry standards.
Understanding the NIST- FedRAMP Symbiosis
The intrinsic relationship between FedRAMP and NIST is a fundamental pillar of understanding. With Revision 5, these two programs are evolving harmoniously to ensure seamless alignment, marking a significant milestone in cloud security.
The Dynamics of FedRAMP Revision 5
FedRAMP Revision 5 introduces substantial changes, with a notable emphasis on threat-based methodology. This approach assesses the effectiveness of each control in preventing, detecting, and responding to potential threats outlined in the MITRE ATT&CK Framework
What’s New in FedRAMP Revision 5?
Revision 5 brings significant FedRAMP changes to the table. By adopting a threat-based methodology, it assesses the effectiveness of each control in preventing, detecting, and responding to potential threats outlined in the MITRE ATT&CK Framework.
Here’s a brief overview of the changes in the different FedRAMP security control baselines:
- Tailored / Low Impact SaaS (LI-SaaS): This baseline now has 156 controls, with 31 additional controls added, including new attest and assess controls.
- Low: There are also 156 controls, with 31 new additions.
- Moderate: This baseline has 323 controls, two fewer than in Revision 4, mainly due to controls being integrated into other existing NIST 800-53 controls.
- High: With 410 controls, this baseline has 11 fewer controls than Revision 4, also because of controls being merged into existing NIST 800-53 controls.
Pivotal Privacy Integration
FedRAMP Revision 5 extends its footprint by deeply integrating FedRAMP privacy controls across control families. Including privacy considerations in FedRAMP Revision 5 is a game-changer for data protection. It recognizes the increasing importance of safeguarding sensitive information, not just from a security perspective but also from a privacy standpoint. Several control families now explicitly demand privacy assessments, ensuring that PII and other private data are given the attention they deserve.
One notable change is in the AT-3 control, which now mandates privacy training in addition to security training. This acknowledges the critical role that privacy plays in protecting sensitive data. In today’s data-driven world, a breach of privacy can have far-reaching consequences, and FedRAMP Revision 5 reflects this reality.
Similarly, CM-3 and CM-4 controls now require privacy impact analysis for configuration changes. This means that every change made to a system must be assessed not only for its security implications but also for its potential impact on user privacy.
FedRAMP Revision 5’s emphasis on privacy integration aligns with the broader regulatory landscape, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), showing that it’s not just about compliance but also responsible data handling.
Here’s a list of some pivotal privacy-related changes:
- AT-3: Role-based training now necessitates privacy training in addition to security training.
- CM-3: Configuration Change Control and CM-4 – Impact Analysis now mandates privacy impact analysis for configuration changes.
- CP-9: System Backup now requires the backup of privacy-related system documentation.
- PL-2: The System Security and Privacy Plan now mandates providing results of privacy risk assessments for systems handling Personally Identifiable Information (PII), along with other privacy-related updates.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Revision 5 FedRAMP Password Requirements
The new password requirements under NIST and FedRAMP Revision 5 bring about significant changes. They remove specific elements related to password changes, such as minimum and maximum age, reuse restrictions, and minimum character changes between versions. In their place, the revised controls mandate that Federal systems must maintain lists of “common, expected, or compromised passwords” and ensure that these passwords are not used. Additionally, the new requirements necessitate the implementation of password strength meters to guide users in choosing stronger passwords.
Moreover, these changes expand password flexibility by allowing very long passwords, for example, up to 64 characters following the 800-63b guidelines. Furthermore, the use of any printable character, including spaces, is now permitted within passwords. These changes, while beneficial, may require a considerable amount of time for design, implementation, and documentation in the System Security Plan (SSP) and associated procedures.
Emerging Control Families and Enhancements
FedRAMP Revision 5 doesn’t stop at control counts; it introduces entirely new control families and enhances existing ones:
- SR (Supply Chain Risk Management): This novel addition comprehensively addresses the risks associated with the acquisition, development, and maintenance of information systems, components, and third-party services, products, and supply chains.
- AT-2 (3) (Social Engineering and Mining): This control now requires literacy training on social engineering and social mining at least annually.
- IR-6 (3) (Coordination with Supply Chain): It’s now a mandate to report incident information to organizations involved in the supply chain or supply chain governance.
- RA-5 (11) (Public Disclosure Program): A reporting channel for the public to notify the Cloud Service Provider (CSP) of vulnerabilities is now mandatory.
- SI-4 (18) (Analyze Traffic and Covert Exfiltration): This control now necessitates monitoring outbound communications at interior points to detect covert exfiltration of information.
Revised Requirements and Guidance in FedRAMP Revision 5
Noteworthy changes also encompass specific controls:
- CA-7 (Continuous Monitoring): It requires Chief Security Officers (CSOs) authorized via the Agency path with more than one agency Authorization to Operate (ATO) to conduct joint monthly Continuous Monitoring (ConMon) meetings with all agencies.
- SC-8, SC-8 (1), SC-13, and SC-28: These controls mandate the encryption of ALL data-at-rest and data-in-transit using 140-2 Federal Information Processing Standards (FIPS)-validated or National Security Agency (NSA)-approved cryptography.
- CM-6 Configuration Settings: This control now requires Department of Defense Security Technical Implementation Guides (STIGs), with CIS Level 2 benchmarks as an acceptable alternative if no STIG is available.
Navigating Your Transition to FedRAMP Revision 5
If you’re embarking on the transition to FedRAMP Revision 5, the key steps depend on your current phase:
- For Cloud Service Providers in the “Planning Phase”:
- Implement and test the Revision 5 baseline.
- Employ the updated FedRAMP templates when submitting a RAR/SAR package.
- For Cloud Service Providers in the “Initiation Phase”:
- Identify the disparities between your current Revision 4 implementation and Revision 5 requirements.
- Develop and document plans in the System Security Plan (SSP) and Plan of Action and Milestones (POA&M) to address these differences.
- For Cloud Service Providers in the “Continuous Monitoring Phase”:
- Determine the discrepancies between your existing Revision 4 implementation and Revision 5 requirements.
- Develop and document plans in the SSP and POA&M to address these differences.
- Revise your plans to reflect any changes based on shared controls.
Preparing for the Future with FedRAMP Revision 5 Compliance
The transition from FedRAMP Revision 4 to Revision 5 ushers a substantial update in security controls and the assessment process. FedRAMP Revision 5 is grounded in the principle of customization, tailoring security controls to address the specific risks and threats to information systems, ensuring alignment with the distinct needs of federal agencies.
As you navigate this transition, keep an eye out for updated documentation from FedRAMP, including templates for SSP, SAP, SAR, RAR, and POA&M. For guidance during this crucial phase, consider contacting Centraleyes.
FedRAMP Revision 5 is here to stay, representing a significant leap forward in cloud security standards. Adaptation to these changes is not only a requirement but an opportunity to bolster the security landscape for federal information systems and ensure the protection of sensitive data.
Table: FedRAMP Rev 4 to Rev 5 Transition Overview
Aspect | FedRAMP Rev 4 | FedRAMP Rev 5 |
Who Can Be Assessed | CSPs under JAB prioritization or with 3PAO contracts | CSPs undergoing a Readiness Assessment or without a sponsor |
For Initial Assessments | Transition plan by Sep 1, 2023; controls based on leveraged controls by Oct 3, 2023 | CSPs with Rev 4 Annual Assessment by Jul 3, 2023, a transition within 12 months of SAR |
For Annual Assessments | Unclear if Rev 5 required between Jul 3, 2023, and Dec 15, 2023; expect FAQs for clarity | |
Control Changes | See below for Low, Moderate, High baselines | See below for Low, Moderate, High, Annual baselines |
Get Your FedRAMP Compliance with Centraleyes
Centraleyes is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management, compliance support, and smart mapping between major regulation and compliance frameworks on the market, including but not limited to:
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days