At the end of last year, the Federal Risk and Authorization Management Program (FedRAMP) released a draft of their FedRAMP Revision 5 (Rev 5) baselines. Since the inception of the program in 2011, FedRAMP has used NIST (National Institute of Standards and Technology) standards and guidelines to offer standardized security requirements for cloud service providers (CSPs). As such, the forthcoming FedRAMP Rev 5 is based on NIST 800-53 Rev 5, which was released in September 2020.

Read on to discover how FedRAMP Rev 5 compares to Rev 4, next steps for the program, and other relevant FedRAMP updates.

FedRAMP Rev 4 vs. Rev 5: Introducing a Threat-Based Methodology

The most noteworthy difference between FedRAMP Rev 4 and Rev 5 is that FedRAMP has introduced a threat-based methodology to determine which controls to add on to the established NIST 800-53 Rev 5 baselines.

Specifically, FedRAMP evaluated each NIST 800-53 Rev 5 control on its ability to protect, detect, and/or respond according to the methods outlined in the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework v8.2. MITRE ATT&CK is a carefully curated, regularly updated knowledge base covering cyber threat behavior.

Benefits of FedRAMP’s new threat-based approach include:

• Enhanced security against the top threats to federal information systems
• Identification of notable gaps and duplication in security efforts
• Streamlining of the overall FedRAMP authorization process
• Increased potential for reuse of authorization packages across government agencies

Control Differences in FedRAMP Rev 4 vs. Rev 5

When NIST 800-53 Rev 5 was released, NIST called it “not just a minor update but rather a complete renovation.” I’ve previously written about how this special publication introduced new control categories with a focus on outcome-based controls as well as a greater emphasis on privacy. Consequently, FedRAMP Rev 5 also provides a “proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.” 

In past revisions of FedRAMP, the number of controls required has been significant, especially for Moderate and High impact levels. However, the new threat-based methodology has minimized the amount of controls added by FedRAMP. Listed below are the number of additional controls that the FedRAMP Program Management Office (PMO) and Joint Advisory Board (JAB) have proposed in addition to the current FedRAMP baselines:

• Low Baseline — 1 additional control
• Moderate Baseline — 17 additional controls
• High Baseline — 22 additional controls

Ultimately, the strategic control selection put forward for FedRAMP Rev 5 will enable a more efficient security authorization process for all parties involved.

Next Steps for FedRAMP Rev 5

The draft of the FedRAMP Rev 5 baselines is open for public comment until April 1, 2022. You can provide feedback on the proposed baselines by annotating this document and emailing it to [email protected] before the deadline.

After feedback has been collected from government entities and the federal security community, FedRAMP will review all public comments and update the Rev 5 baselines accordingly. Once these final changes have been made, FedRAMP Rev 5 will be officially published alongside related documentation, guidance, and an estimated compliance timeline.

When FedRAMP Rev 5 is released, it will include Open Security Controls Assessment Language (OSCAL) versions of the updated baselines. FedRAMP uses OSCAL to automate a large portion of security package review. CSPs and third-party assessment organizations (3PAOs) may also use OSCAL to carry out their own self-tests prior to submission. This technology ultimately results in a faster and more accurate validation and authorization process.

Additional FedRAMP Updates

FedRAMP announced two important updates at the beginning of this year that I’d also like to highlight. First, the program released an updated Readiness Assessment Report (RAR) Guide and templates that are designed to provide more detailed guidance for 3PAOs in assessing CSPs. After completing a RAR, a 3PAO will attest to an organization’s readiness for the official authorization process. The new guide and templates are designed to reduce complexity and redundancy in the process, as well as provide clearer instructions based on feedback from 3PAOs and CSPs.

The second relevant piece of FedRAMP news is the publication of an updated CSP Authorization Playbook to give CSPs a more comprehensive understanding of what the authorization process entails. This updated playbook exists across two volumes: Volume I details how to prepare for FedRAMP, various paths to authorization, and items to consider prior to getting started. Volume II focuses on the development of a high-quality security package to reduce the need for revisions during the review process, including tips for delivering a coherent, digestible package.

Taking the Fast Track to FedRAMP

All of the new FedRAMP updates indicate that the program is taking feedback from the federal security community seriously and is actively working to make the authorization process faster and more efficient for everyone involved. That being said, it can be difficult to adapt to change, especially if you are not deeply familiar with the federal compliance space. As a result of this change, I recommend you review the Revision 5 updated controls and guidance to begin implementing any gaps identified.

Is your organization getting ready to pursue FedRAMP Authorization to Operate (ATO) status now or in the future? A-LIGN is an accredited 3PAO and one of the top FedRAMP assessors in the world based on our in-depth knowledge of federal compliance and hands-on experience helping CSPs get ready to do business with the U.S. government. Visit our website to learn more about our FedRAMP services.