Skip to content
Talk to Our Experts
All posts

FedRAMP Revision 5 Explained

Picture of Matthew Graham By   ·  3 minute read

The Federal Risk and Authorization Management Program (FedRAMP) has been a cornerstone of the U.S. government's cloud security strategy since its inception in 2011. It provides a standardized approach to assessing, authorizing, and continuously monitoring cloud services used by federal agencies.

FedRAMP leverages the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 guidelines for security and privacy controls for federal information systems. These controls are analyzed for applicability and tailored to cloud systems. They are also revised periodically to reflect the latest security standards and practices.

On May 30, 2023, FedRAMP released Revision 5 (Rev 5) of its security control baselines. Rev 5 incorporates the latest updates from NIST SP 800-53 Revision 5 and aligns with FedRAMP's goal of ensuring that security controls are up-to-date. This blog post will break down the notable changes within Rev 5, as well as the transition timeline for organizations currently in any phase of achieving FedRAMP compliance.

 

What are the New FedRAMP Revision 5 Baselines?

FedRAMP utilized a Threat-Based Methodology to assess the effectiveness of each control in preventing, detecting, and responding to the techniques outlined in the MITRE ATT&CK Framework when creating Rev 5. By leveraging threat scoring, FedRAMP was able to keep control additions to the baselines to a minimum.

  • FedRAMP BASELINE

 

Key Changes in FedRAMP Rev 5

In addition to changes to the control totals, Rev 5 introduces other significant changes, including:

  • Integration of new privacy considerations
  • Notable control families
  • Guidance not featured in Rev 4
  • A new mandate for Red Team exercises for Rev 5 assessments

Red Team exercises simulate attempts by real attackers to compromise the system and extend farther than a traditional penetration test to provide a more in-depth cybersecurity assessment.

FedRAMP is currently developing additional guidance for Red Team exercises. However, it’s important to note that these exercises may considerably prolong the assessment timeline.

 

FedRAMP Rev 5 Updated Privacy Requirements

As part of increased emphasis on privacy, Rev 5 introduced updated requirements across multiple control families.

  • FedRAMP Privacy Requirements

 

FedRAMP Rev 5 New Control Families and Enhancements

Notable changes to the control families and controls include:

  • FedRAMP New Control Families & Enhancement

 

FedRAMP Rev 5 Updated Requirements and Guidance

  • FedRAMP Updated Requirements and Guidance

 

How to Manage Your Transition to FedRAMP Rev 5

The transition plan to Rev 5 went into effect on May 30, 2023. The specific guidance will vary depending on your current stage in the FedRAMP process:

 

Cloud Service Providers in the Planning Phase

If you are in the process of applying for FedRAMP or have not yet partnered with an agency or contracted with a 3PAO for a Rev 4 assessment, you will need to:

  • Implement and test the Rev 5 baseline

  • Use the updated FedRAMP templates when submitting a Security Assessment Report (SAR) or Package of Evidence (PoE)


Cloud Service Providers in the Initiation Phase

If you are currently under contract with a 3PAO and have been evaluated for a Provisional Authority to Operate (P-ATO), you can obtain an ATO/P-ATO using the Rev 4 baseline and templates. However, you must identify the differences between your current Rev 4 implementation and the Rev 5 requirements by September 1, 2023. This includes developing and documenting plans to address these differences in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

 

Cloud Service Providers in the Continuous Monitoring Phase

If you are currently in the continuous monitoring phase with a current FedRAMP authorization, you will need to:

  • Determine the differences between your existing Rev 4 implementation and Rev 5 requirements by September 1, 2023.

  • Develop and document plans in your SSP and POA&M to address these differences.

  • Revise your plans to reflect any changes based on the information used, such as shared controls by October 2, 2023.

 

Next Steps for Your FedRAMP Rev 5 Compliance

Rev 5 emphasizes the importance of customization and tailoring of security controls to address specific risks and threats to your information systems. This aligns with FedRAMP's strategy of requiring Cloud Service Providers (CSPs) to demonstrate a baseline of security controls while allowing further customization to meet the unique needs of individual federal agencies.

In the next few weeks, FedRAMP will release updated supporting documentation for the Rev 5 transition, including templates for the Security Assessment Plan (SAP), Security Assessment Report (SAR), Risk Assessment Report (RAR), System Security Plan (SSP), and Plan of Action & Milestones (POA&M) for High, Moderate, Low, and Light Impact SaaS baselines.

If you have any questions in the meantime, please feel free to contact the author's company, as their team of experts is prepared to help you with this important update.