It’s been three years since the National Institute of Standards and Technology (NIST) unveiled the fifth iteration of Special Publication (SP) 800-53. As the basis for the Federal Risk and Authorization Management Program’s (FedRAMP) rigorous security framework, this update has significant implications for cloud service providers (CSPs) that work with the federal government.
Now, CSPs finally have what they’ve been waiting for. In May 2023, the FedRAMP Project Management Office (PMO) approved and released the fifth version of its baseline security controls, known simply as FedRAMP Rev. 5. In turn, the PMO issued guidelines for when and how CSPs must achieve Rev. 5 compliance.
Read on to learn the essential changes to Rev. 5, your new security controls and how you can simplify the authorization and compliance process.
FedRAMP Rev. 5 Explained
At first glance, you might notice there are fewer controls in the program’s Moderate and High baselines. However, Rev. 5 introduced significant changes to all control families, which means achieving compliance unfortunately hasn’t gotten any easier.
Notably, Rev. 5 adds an 18th control family to the mix: Supply Chain Risk Management (SR). Although Rev. 4 included supply chain threats, the relevant controls weren’t grouped into their own family. Additionally, Rev. 5 incorporates SR into other control families, such as Incident Reporting. For example, IR-6 (3) now requires you to report incident information to entities involved in supply chain governance.
Aside from this new family, FedRAMP Rev. 5 also includes important changes related to verbiage and documentation. Let’s break them down individually:
- Outcome-based wording: In the past, FedRAMP’s guidelines focused mostly on the entity responsible for implementing controls. Now, Rev. 5 concentrates primarily on outcomes, as control statements have been updated to emphasize the desired goal of specific actions. This restructuring acknowledges the need for collaboration between teams for proper implementation. Secondly, this change also makes it clear that a contracted third party can perform risk assessments on behalf of the CSP.
- STIG requirements: Rev. 5 requires CSPs to go beyond their Center for Internet Security (CIS) baselines by implementing Security Technical Implementation Guides (STIGs). However, FedRAMP and STIG requirements may differ. In some cases, STIGs could even prevent solutions from working, which means the CSP must submit a written explanation as to why they can’t implement them. Moreover, they must adopt compensating controls in place of the STIG.
- Control gaps: CSPs must identify gaps between their Rev. 4 and Rev. 5 controls and document them in a Plan of Action and Milestones (POAM). Notably, each Rev. 5 control must be tracked in its own POAM entry.
Rev. 5 Challenges and Solutions
As CSPs transition to Rev. 5, they may find compliance exceptionally more complicated than before. Roughly a third of all FedRAMP High and Moderate controls have been altered — and in turn, so have their interpretations.
This ambiguity may lead an organization to interpret controls differently than a third-party assessor or the PMO itself. Moreover, implementing and monitoring them will require ample time and financial resources. If not managed properly, investments may go to waste. Worse yet, these factors put you at higher risk of failing the Rev. 5 audit.
CSPs midway through the authorization process may continue under Rev. 4 temporarily. However, FedRAMP-authorized organizations must comply with Rev. 5 standards by their next annual assessment. Either way, the path forward won’t be simple — unless you work with Project Hosts.
As an experienced third party that works closely with the PMO, our specialists know exactly how Rev. 5 controls are meant to be interpreted. If it’s your first time attempting the assessment process, we can connect your application to the Project Hosts Platform-as-a-Service (PaaS) solution. We’ll implement all requisite controls on your behalf so you can rest assured they’re managed effectively.
Our experts will walk you through the compliance journey from start to finish, sharing their policies and procedures along the way. Better yet, they’ll monitor your application to ensure you’re always in sync with the latest FedRAMP requirements.
Contact our team for more information about how Project Hosts can help you transition and manage Rev. 5 compliance.