October 23, 2023 at 03:04AM
The Federal Risk and Authorization Management Program (FedRAMP) has approved new Revision 5 (Rev. 5) baselines that align with NIST’s “SP 800-53 Rev. 5.” Changes in FedRAMP include updated security controls, documentation, and templates, as well as new control families and increased focus on privacy and customization. Cloud service providers (CSPs) should follow the “FedRAMP Baselines Rev. 5 Transition Guide” to plan their transition. This involves developing a transition schedule, updating documentation, determining the scope of assessment, conducting security assessment, and completing a Plan of Action and Milestones (POA&M). FedRAMP provides resources and training to support the transition.
Based on the meeting notes, the key takeaways are as follows:
1. The Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board has approved new Revision 5 (Rev. 5) baselines on May 30, 2023, aligning with NIST’s “Special Publication (SP) 800-53 Rev. 5” and “SP 800-53B Control Baselines for Information Systems and Organizations.”
2. The new baselines include updates to security controls, documentation, and templates, reflecting changes in NIST SP 800-53 Rev. 5. FedRAMP now also includes guidance for new control families, such as Supply Chain Risk Management, and emphasizes higher configuration management levels, privacy, and customization for agency requirements.
3. Program management (PM) controls remain the responsibility of agencies and are not reflected in the updated baselines.
4. Cloud service providers (CSPs) can transition to FedRAMP Rev. 5 by identifying their current authorization phase (planning, initiation, or continuous monitoring) and following the detailed instructions in the “Transition Guide.”
5. CSPs need to develop a schedule and transition plan, including completing a new Rev. 5 System Security Plan (SSP) and appendices, a Security Assessment Plan (SAP), and a Security Assessment Report (SAR).
6. Updated templates for the SSP and attachments are provided by the FedRAMP project management office (PMO), and a defined plan for remediation is required in the Plan of Action and Milestones (POA&M).
7. The scope of the assessment depends on the specific controls requiring testing, as determined by the organization. FedRAMP provides worksheets and information for the control selection process.
8. Assessors will follow the same processes and procedures for a FedRAMP Rev. 5 assessment but use the new Rev. 5 Test Case templates and the requirements outlined in the “Continuous Monitoring Strategy Guide.”
9. To tackle FedRAMP Rev. 5, governance, risk, and compliance (GRC) tools are available to assist with control management and progress tracking. Training, educational forums, and program updates are also provided by FedRAMP.
Please let me know if there is anything else I can assist you with.