FedRAMP NIST 800-53 Revision 5 Deep Dive
FedRAMP Releases Proposed Updated Baselines
Following the release of NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5) the FedRAMP Program Management Office (PMO) has developed new FedRAMP High, Moderate, Low, and Li-SaaS baselines. Cloud Service Providers (CSPs) looking to achieve a FedRAMP ATO and CSPs looking to recertify their existing ATO, will need to consider the impact to their security implementations, processes, and documentation, as well as their overall compliance program.
Due to the withdrawal of certain controls and the consolidation of other controls in Rev 5, the new High and Moderate baselines will now have fewer controls, while the Low baseline will have an increased number of controls. The High baseline will go from 421 controls to 392 controls, the Moderate baseline will go from 325 controls to 304 controls, and the Low and Li-SaaS baselines will increase to 150 controls.
SR Control Family
The significant changes to the baselines includes an expansion of the security controls catalog, which includes a new control family – Supply Chain Risk Management (SR). The SR family calls for a Supply Chain Risk Management Plan, which suggests that at least one new System Security Plan (SSP) Attachment will be coming to the FedRAMP documentation package once the Rev 5 baselines are adopted. Many CSPs will need to develop a supply chain risk management policy, supply chain risk management procedures, and the accompanying plan/attachment. The new SR control family also brings requirements for new security tools, such as anti-tamper solutions, and a risk management team, which will add new roles and responsibilities to CSP personnel. To ensure compliance with the new requirements, a CSP should consider having a gap assessment performed.
Another change to the new baselines is a requirement that CSPs include in their policies for each control family the designation of a specific official to manage the development, documentation, and dissemination of policies and procedures. The new baselines also require the selection of policies and procedures as either organization-level, mission or business process level, or system level. These changes will require many CSPs to update their policy and procedures documentation.
The new baselines also establish “state-of-the-practice” controls, such as a requirement to establish a threat hunting capability that monitors, detects, tracks, and disrupts threats that evade existing controls and controls that support cyber resilience and secure systems design based on threat intelligence and cyber-attack data. Threat analysis and intelligence capabilities will be necessary to any organization looking to comply with the new baselines.
With constantly evolving cybersecurity threats and increasing amounts of supply chain attacks every year, these changes will help to improve security for any entity following the new baselines, with an eye towards mitigating risk and preventing security incidents before they occur. Below is a review of the key changes:
- 39 fewer controls in the High Baseline
- 21 fewer controls in the Moderate Baseline
- 25 more controls in the Low Baseline
- 24 more controls in the Li-SaaS Baseline
- Supply Chain Risk Management (SR) family addition
- Implied addition of Supply Chain Risk Management attachment
- Policy enhancements to include corrective action
- “State of the Practice” controls
The PMO will provide CSPs at least six months to transition to the new templates. Check back here for deeper dives into changes in each control family and updates from the FedRAMP PMO.
Contact InfusionPoints for assistance with your FedRAMP journey.
Control Family Deep Dive
- 1. Access Control
- 2. Awareness and Training
- 3. Audit and Accountability
- 4. Security Assessment and Authorization
- 5. Configuration Management
- 6. Contingency Planning
- 7. Identification and Authentication
- 8. Incident Response
- 9. Maintenance
- 10. Media Protection
- 11. Physical and Environmental Protection
- 12. Planning
- 13. Personnel Security
- 14. Risk Assessment
- 15. System and Services Acquisition
- 16. System and Communication Protection
- 17. System and Information Integrity
- 18. Supply Chain Risk Management
Comply & Conquer - FedRAMP Rev 5 Updates