Skip to main content
Double-Edged Sword: New Rev. 5 Resources and Compliance Hurdles

Double-Edged Sword: New Rev. 5 Resources and Compliance Hurdles

FedRAMP’s transition to NIST 800-53 Revision 5 marks a major shift in the federal cloud landscape, bringing in a new era of security and compliance for Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs). As CSPs transition from Rev. 4 to Rev. 5, it’s crucial to understand the latest developments from the FedRAMP PMO. On February 16, 2024, the FedRAMP PMO released updated and new resources designed to clarify compliance requirements for CSPs and 3PAOs. Some notable updates include:

  • Updated Annual Assessment Guidance
  • Revisions to the control's selection worksheet for annual assessments
  • Updates to Authorization Playbooks to match the latest Rev. 5 standards
  • New Continuous Monitoring Deliverables Template
  • Updates to the Vulnerability Deviation Request Form
  • Updates to Vulnerability Scanning Requirements

While these updates reflect FedRAMP's dedication to transparency and partnership with CSPs and 3PAOs, they also introduce the potential for bottlenecks, with the risk of creating new hurdles that may hinder operational efficiency. How will these dual impacts shape the federal cloud landscape? Let’s dive deeper into these critical changes.

How does this impact my annual assessment?

For 3PAO Annual Assessments, periodicity requirements are now clarified and improved as part of the new annual assessment guidance and resources. Historically, control assessments risked skipping or missing controls outside the core or validation controls from the 3PAO. FedRAMP is remediating this risk with the revised CSP Annual Assessment Controls Selection Worksheet by including a new tracking feature for the current and prior two assessments to identify assessed controls within the time period. For example, if the CSP selects control CP-9(1) for their annual assessment, which is not a Rev. 5 High Core control, the 3PAO must assess this at least once within the three-year period to ensure compliance. This clarification is vital to 3PAOs and CSPs during their annual assessments, as it clarifies the requirements and improves the process for control subset identification and validation.

How does this impact my Continuous Monitoring Program?

CSP Continuous Monitoring programs received a boost with new and updated documentation. The newly released Continuous Monitoring Deliverables Template will support stakeholders with tracking Continuous Monitoring activities and deliverables with corresponding control parameters and locations providing a point in time vantage point of the package. This provides a more comprehensive overview of a CSPs Continuous Monitoring program in the long term and greatly improves stakeholder visibility.

It’s vital that CSPs ensure that Vendor Dependencies (VDs) are properly documented within the Plan of Action and Milestones (POA&M) and submit Deviation Requests (DRs) in certain circumstances. The Deviation Request Form has received an update clarifying VDs. A VD does not automatically require a deviation request except when a VD is High-risk. For these High-risk VDs, a Risk Adjustment (RA) DR is required. FedRAMP also notes that VD Operational Requirement (OR) requests are considered under limited circumstances but doesn’t provide much more context except to say that these must be coordinated with your Authorizing Official or the FedRAMP/JAB team. Importantly, VDs are not allowed to be documented if the software is developed in-house by a CSP's parent company. These changes mark a considerable clarification for CSPs Continuous Monitoring programs and should be considered during your active transition to Rev. 5.

How does this impact Vulnerability Scanning?

Another change that may impact your Continuous Monitoring program and vulnerability scanning includes an update to the CSP Vulnerability Scanning Requirements document. By consolidating requirements for vulnerability scanning for containers, a previously separate document, FedRAMP is streamlining access to these requirements to support CSP and 3PAO visibility, a step in the right direction for aligning requirements across various stakeholders.

FedRAMP is placing increased scrutiny on scanner configurations which includes providing machine readable evidence of non-altered configuration settings from 3PAO validated settings. FedRAMP also notes that if configuration settings are to be changed on scanners (outside of regular patches), the CSPs AO must be notified and approved of the change. This will likely result in increased validity of scanner configurations but may cause bottlenecks in the event of scanner configuration changes in response to shifts in the threat landscape. Furthermore, scanning results must align between 3PAO assessment scan results and routine continuous monitoring results, FedRAMP notes delays in authorization due to the need for the 3PAO or CSP to reconcile scan results. CSPs and 3PAOs must ensure that scanning validation is emphasized as part of assessment activities of the RA control family to maintain strong oversight and quality control avoiding negative impact to authorization timelines. The FedRAMP community will certainly have a lot of questions on how to comply with these new requirements to help solidify their approach to meet FedRAMP expectations.

Unpacking the Container Scanning requirements provides more detail for CSPs on FedRAMP’s expectations for this evolving technology. FedRAMP establishes potential risks to the use of container technology. One major change includes a newly documented Encryption requirement not included in the previous version. FedRAMP emphasizes the importance of securing all data in transit, whether it's between different parts of the same system such as container-to-container or within the same container. When leveraging containerization and container-based technologies, CSPs must ensure that all data in transit is encrypted such as FIPS validated, or NSA approved cryptography or mechanisms. This will be increasingly crucial to demonstrate compliance with SC-8 protection for container technology.

How do I ensure continued compliance with Rev. 5?

For CSPs in the FedRAMP space, staying informed and proactive in adapting to these changes is key to maintaining compliance and ensuring the highest level of security for their cloud services. The latest guidance and templates provided by the FedRAMP PMO are invaluable resources in this transition, offering a roadmap for CSPs to follow on their pathway. For a more comprehensive understanding of these updates and their implications, check out the FedRAMP blog or feel free to reach out to InfusionPoints for support in adapting to these changes.

Rev. 5 - Additional Documents Released |

What’s New in NIST 800-53 Revision 5 for FedRAMP Cloud Service Providers | InfusionPoints

Authors Name