FedRAMP Has New Baseline Security Control Requirements

Beware all cyber threats; you have new challenges to face! The Federal Risk and Authorization Management Program(FedRAMP) has implemented the new National Institute of Standards and Technology (NIST) 800-53 Rev.5 baseline and security control requirements to address cyber threats. Considered a new “threat-based methodology”, the changes provide guidance to assist Cloud Service Providers (CSPs), FedRAMP Third-Party Assessment Organizations (3PAOs), and Federal Agencies to transition to the new FedRAMP requirements. The Rev. 5 baseline is an innovative approach that helps the government to inform risk management decisions. Additionally, this approach provides CSPs, 3PAOs and Federal Agencies with an opportunity to expedite the authorization process by prioritizing controls that mitigate threats and vulnerabilities posing the most risks to federal systems and data.

The NIST 800-53 Rev.5 baseline applies to both FedRAMP security and privacy controls. FedRAMP remains a federally managed program that equips CSPs with the necessary information and security measures, such as security assessment and the continuous monitoring of Cloud Service Offerings (CSO). CSPs need these new security measures when they engage with U. S. government agencies because it guarantees a proper level of information security and privacy to those entities that they serve. The upgrade’s focus includes how FedRAMP will utilize the newly introduced security controls.

What Changes Have Occurred?

On May 30, 2023, FedRAMP’s latest change occurred regarding its security control baselines. These baselines now have additional requirements and actions that are implemented according to NIST SP 800-53 Revision 5. The updates from Rev. 4 to Rev.5 are applicable to all Cloud Service Providers who are seeking FedRAMP authorization, and they have to ensure that security controls and practices are compliant with the latest security standards. With the constant moving and changing of IT environment and threat landscapes, these additional requirements will help both federal government and CSPs thwart threats and disruptions.

How Do These Changes Work?

NIST 800-53 Rev. 5 modifies and designs these security controls to address certain risks and threats that can penetrate information systems. The changes in the Rev.5 baselines are reflected within specific impact levels. The three levels are labeled as low, moderate, and high, and CSPs must align their CSOs in accordance with the requirements of different impact levels to assure that the entity is meeting FedRAMP standards. Overall, the baseline changes ensure that CSPs address the specific needs of federal agencies. The changes, too, ensure that these entities receive a more thorough, standardized approach to assessing, getting authorized, and continuously monitoring cloud services.

What Do the Changes Do?

The FedRAMP’s Program Management Office (PMO) and the Joint Advisory Board (JAB), together, have propositioned that the baseline requirements listed below accompany the new controls; they add more coverage, protection, and detailed guidance to the existing security program: The NIST 800-53 Rev. 5 change provides “a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States.”

The three baselines (low, moderate, and high) now have the following controls:

• Low Baseline - 31 additional control

• Moderate Baseline - 2 fewer controls

• High Baseline - 11 fewer controls

The new Threat-Based Methodology is instrumental in allowing “FedRAMP to analyze each NIST SP 800-53, Rev. 5 control within the FedRAMP High baseline on their ability to protect, detect, and/or respond to each of the techniques outlined in the MITRE ATT&CK Framework version 8.2.”

The above baselines rank high in threat scoring. Even though the NIST 800-53 Rev.5 baseline controls show an increase, FedRAMP decreased the number of “moderate and high controls by leveraging threat scoring.”

Also, baseline levels requirements are indicators to the Cloud Service Provider; the low, moderate, high baseline levels determine the entity’s need for either more or less implementation of the baseline security controls.

What Are the Key Benefits?

There are several key benefits for CSPs that acquire FedRAMP’s new threat-based approach to enhancing security. CSPs will experience:

• Enhancement in their security efforts against those identified threats to federal information systems

• An ability to identify gaps and duplicate efforts in their security approach

• The simplification in the implementation of the FedRAMP process

CSPs have no need to worry about the new FedRAMP additions. The Program anticipates providing Rev. 5 updates and interactive training for those entities that are governed by these federal statutes that require compliance.

Are you seeking FedRAMP compliance? As a certified 3PAO, WCG is ready to assist your organization with FedRAMP compliance in accordance with NIST 800-53 Rev. 5.

[1] Bai, Tony. Understanding the New FedRAMP Rev 5 Baselines. Understanding the New FedRAMP Rev 5 Baselines I A-LIGN

[2] FEDRAMP.GOV. December 21, 2021. FedRAMP Publishes Draft Rev. 5 Baselines | FedRAMP.gov

[3] FedRAMP. Gov. FedRAMP Rev. 5 Transition Update. April 27, 2022. FedRAMP Rev. 5 Transition Update | FedRAMP.gov

[4] FedRAMP Baseline Rev. 5 Transition Schedule. FedRAMP Baseline Revision 5 Transition Plan: Transition to the FedRAMP Baselines based on NIST SP 800-53 Revision 5. May 30, 2023. FedRAMP Baselines Rev 5 Transition Guide.

[5] FedRAMP Frequently Asked Questions. 2023. Find Answers to FedRAMP FAQs | FedRAMP.gov

[6] FedRAMP. Looking Ahead - FedRAMP PMO Communications Regarding Rev. 5. June 28, 2023. Looking Ahead - FedRAMP PMO Communications Regarding Rev. 5 | FedRAMP.gov

[7] GSA FedRAMP. Threat-Based Risk Profiling Methodology: PMO Version 2.0. February 15, 2022. V2 to Publish: Threat-Based Risk Profiling Methodology White Paper (fedramp.gov)

[8] NIST. Security and Privacy Controls for Information Systems and Organizations: NIST Publishes SP 800-53, Revision 5. September 23, 2020. Information Technology Laboratory. Computer Security Resource Center. SP 800-53 Revision 5 Published | CSRC (nist.gov)

[9] Waddell, Nate. FedRAMP Revision 5 Explained. FedRAMP Revision 5 Explained | Schellman