On May 30, 2023, the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board approved the new Revision 5 (Rev 5) baselines. Baselines were adjusted to align with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 5 and SP 800-53B Control Baselines for Information Systems and Organizations.
In this article, we’ll outline everything you need to know to prepare your business as a Cloud Service Provider (CSP), as documented in the FedRAMP Baselines Rev. 5 Transition Guide.
Understanding FedRAMP Rev 5
According to FedRAMP, “the FedRAMP Program Management Office (PMO) updated the FedRAMP baseline security controls, documentation, and templates to reflect the changes in NIST SP 800-53, Rev. 5.”
Put simply, the baselines are changing to further reflect the changes in NIST SP 800-53, Rev. 5, so that the two programs better align with each other. FedRAMP has also added guidance for many of its controls.
Rev. 5 also includes the new Supply Chain Risk Management control family. Additionally, the Configuration Management level of diligence is heightened and there is an increased focus on both privacy and customization for Agency requirements.
As Schellman outlines, “Rev 5 introduces other significant changes for FedRAMP, including the integration of new privacy considerations, notable control families, and guidance not featured in Rev 4,” as well as “changes to the control totals.”
One last area to note is that Program Management (PM) controls remain an agency responsibility and are not reflected in the updated baselines.
Who does this affect?
While not all organizations will need to transition to this new version of FedRAMP right away, for those that do, this is an urgent update.
For more insight into timelines for organizations at various stages of approval, check out the official FedRAMP CSP Transition Plan.
What are the expectations for organizations seeking FedRAMP compliance?
Per FedRAMP, Cloud Service Providers (CSPs) are expected to “transition all services and components included in the boundary for authorization for NIST SP 800-53, Rev. 5 compliance.” They will also be “required to identify the impact and risks associated with leveraging IaaS and/or PaaS services that have not yet become FedRAMP NIST SP 800-53, Rev. 5, compliant.”
Identifying your phase
To determine the correct timeline for your organization, you will need to identify your current FedRAMP authorization phase. This will allow you to select which timeline fits your organization’s current status so you know what your next steps will be.
There are three authorization phases outlined in the Rev 5 transition guide: planning, initiation, and continuous monitoring. We outline each of these phases and timelines below.
1. Planning phase
According to the Rev. 5 transition guide, CSPs are considered to be in the planning phase if any of the following items apply:
- CSPs applying to FedRAMP or in the readiness review process
- CSPs that have not partnered with a federal agency prior to May 30, 2023
- CSPs that have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023
- CSPs with a JAB prioritization that have not begun an assessment after the release of the Rev. 5 baseline and templates
For those in the planning phase, the timeline is based on the time it takes to fully implement the new Rev. 5 baseline, as well as the updated FedRAMP templates.
Then, you will need to test all new Rev. 5 controls before submitting a package for authorization.
2. Initiation phase
CSPs are considered to be in the initiation phase if any of the following items apply:
- CSPs that are currently prioritized for the JAB and are currently under contract with a 3PAO or in 3PAO assessment, have been assessed and are working toward P-ATO package submission, or have kicked off the JAB P-ATO review process prior to May 30, 2023
- CSPs who have partnered with a federal agency and are currently under contract with a 3PAO, are undergoing a 3PAO assessment, or have been assessed and have submitted the package for Agency ATO review prior to May 30, 2023
The timeline is more complex for those in the initiation phase. First, you will need to complete ATO or JAB P-ATO using the Rev. 4 FedRAMP baseline and templates. Then, by September 1, 2023, or prior to the issuance of an ATO or JAB-ATO (whichever is latest), organizations will need to identify the differences (delta) between their Rev. 4 implementation and the Rev. 5 requirements.
Per FedRAMP, you will need to develop plans, including implementation and testing schedule(s), to address the delta. You will also need to document these plans “in the SSP and POA&M, and post these documents to the CSP’s package repository.”
Updating plans based on “leveraged CSP information,” such as shared controls, is also vital. FedRAMP continues, “customers can use CSP schedules and CRMs to understand planned changes for their own implementation plans.”
Lastly, during the POA&M management process, or the next time you conduct an annual assessment, make sure to assess the overall implementation of the Rev. 4 to Rev. 5 transition plan. According to FedRAMP, “implementation of the Rev. 5 controls must be completed by the next Annual Assessment to support testing of the controls implementation.”
3. Continuous monitoring phase
CSPs are considered to be in the continuous monitoring phase if any of the following items apply:
- CSPs who are in continuous monitoring with a current FedRAMP authorization
Continuous monitoring timeline
By September 1, 2023, CSPs in the continuous monitoring phase will need to “identify the delta between their current Rev. 4 implementation and the Rev. 5 requirements.” This includes developing plans (like in the initiation phase) to address the delta; documenting those plans in the SSP and POA&M; and, posting them to the CSP’s package repository.
By October 2, 2023, organizations will need to “update plans based on leveraged CSP information (e.g. shared controls).” Per FedRAMP, they can also “use CSP schedules and CRMs to understand planned changes for their own implementation plans.
”During either the POA&M management process or next annual assessment, businesses will need to assess the “implementation of the steps above,” according to the following timeline, per FedRAMP:
- CSPs with their last assessment completed between January 2, 2023 and July 3, 2023 have at maximum one year from the date of their last assessment to complete all implementation and testing activities
- CSPs with an annual assessment scheduled between July 3, 2023 and December 15, 2023 will complete all implementation and testing activities no later than their next scheduled assessment in 2023/24
Develop a schedule
Your organization will need to develop a schedule showing your planned transition from Rev. 4 to Rev. 5, and help from your assessor is allowed. Major milestone activities, per FedRAMP, include:
- CSP: Complete new Rev. 5 System Security Plan (SSP) and attachments
- Assessor: Complete the Security Assessment Plan (SAP) Template, available here
- CSP/Assessor: Submit SSP and SAP to FedRAMP JAB POC or Agency Authorizing Official (AO) for approval
- Assessor: Conduct testing
- Assessor: Complete the Security Assessment Report (SAR) Template, available here
- CSP/Assessor: Submit SAR, POA&M, attachments, and updated SSP to FedRAMP JAB POC or Agency AO
Make sure to include timeframes and resources in your schedule, as you will need to support technical and quality assurance reviews of all deliverables.
There are new, updated templates for the SSP and attachments, as provided by the FedRAMP PMO. Per FedRAMP, “CSPs must complete an entirely new authorization package based on the updated templates.”
Determine the scope of your assessment
The scope of your assessment will depend on your determination of specific FedRAMP NIST SP 800-53 Rev. 5 controls that require an assessor to test. Per FedRAMP, “all new or modified requirements introduced in Rev. 5 must be tested and other control testing may need to be required based on CSP-specific implementations and continuous monitoring activities.”
Control selection process
FedRAMP provides in-depth worksheets and information for the control selection process. The main template, known as the FedRAMP Rev 4 to Rev 5 Assessment Controls Selection Template, is categorized into High, Moderate, and Low — just like FedRAMP impact levels.
The template, which comes in the form of a spreadsheet, contains four worksheets: the Rev 5 List of Controls worksheet, the Conditional Controls worksheet, the CSP-Specific Controls worksheet, and the Inherited Controls worksheet. More information on these worksheets and how to use them can be found in the FedRAMP Baselines Rev 5 Transition Guide.
Complete a security assessment
While FedRAMP Rev. 5 has updated controls and requirements, assessors will still perform the same processes and procedures as a FedRAMP assessment. Based on the control selection process, the scope of the assessment will differ depending on the organization. Testing will use FedRAMP Rev. 5 Test Cases, which can be found in Section 6, FedRAMP Rev. 5 Test Cases as well as the requirements outlined in the Continuous Monitoring Strategy Guide.
Prepare and submit your Security Assessment Plan (SAP)
Using the Security Assessment Plan Template, your assessor will prepare and submit the Security Assessment Plan (SAP). FedRAMP states that the SAP should “clearly define the process, procedures, and methodologies for testing.” Based on the control selection process defined in this document, you will need to determine the scope of controls to be tested. Make sure to include only those test cases for selected controls. According to FedRAMP, “some test cases may need modification to address CSP-specific implementations as described in the SSP and other supporting documentation.”
Prepare and submit your Security Assessment Report (SAR)
According to the Security Assessment Report (SAR) Template, your assessor will prepare and submit the SAR. FedRAMP says the SAR “clearly defines process, procedures, and methodologies utilized for testing as required and documents all the results of the testing conducted.” The SAR includes what was tested and what was not tested as part of the assessment, “especially related to inherited controls from leveraged PaaS and IaaS systems as applicable.” Additionally, the SAR also identifies your “known risks associated with leveraged systems, if applicable.” Lastly, FedRAMP states that “the JAB and/or AO determine whether the overall risk posture of the system, as defined in the SAR, is acceptable.”
Prepare and submit your Security Assessment Test Cases
As part of the SAR, the assessor will prepare and submit the FedRAMP Security Assessment Test Cases. These include all FedRAMP NIST SP 800-53, Rev. 5 control requirements with “associated required test methods,” according to FedRAMP.
As stated by FedRAMP, “the assessor completes the observations and evidence, implementation status, findings, and risk exposure information.” Instructions can be found in Worksheet 1 of the Test Case Workbook, which provides “detailed instructions for the documentation of 3PAO assessment test results.”
Complete plan of action and milestones (POA&M)
Using the FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide, your business can prepare and submit your POA&M. All residual risks identified in the SAR will need to have a defined plan for remediation, as provided in the template. You must include known risks “identified by the 3PAO that are associated with leveraging PaaS and IaaS systems in the POA&M,” per FedRAMP.
How Hyperproof can help
Tackling FedRAMP Rev. 5 can be overwhelming, but with a centralized repository of all of your controls, Hyperproof can help you get off the ground more quickly. In the platform, you can find the full FedRAMP Rev. 5 controls, track your progress against the framework, and streamline your assessments using automated evidence collection.
Interested in learning more? Get a free demo of Hyperproof’s FedRAMP capabilities!
Additional FedRAMP resources